From c3745720650268de1f1b06e2b3dc891122ace9bb Mon Sep 17 00:00:00 2001 From: Bojan Suzic Date: Wed, 5 Feb 2014 12:38:45 +0100 Subject: changing some stork parameters; adjusting spss maven config --- .../serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java | 1 + 1 file changed, 1 insertion(+) (limited to 'spss/server/serverlib/src') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java index 30eed7001..6cf46c50a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/MOAException.java @@ -36,6 +36,7 @@ import org.w3c.dom.Element; import at.gv.egovernment.moa.util.Constants; + import at.gv.egovernment.moa.spss.util.MessageProvider; /** -- cgit v1.2.3 From 67b1ab17d8ab539ef158ccce7d63d222251aed3e Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Thu, 6 Mar 2014 20:07:07 +0100 Subject: Bugfix fileupload for CMSVerifyRequest --- .../moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java | 2 +- .../moa/spss/server/invoke/CMSSignatureVerificationInvoker.java | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'spss/server/serverlib/src') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java index 6209d8ef9..6b3f4301f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java @@ -175,7 +175,7 @@ public class VerifyCMSSignatureRequestParser { excludeByteRangeFrom = new BigDecimal(excludeByteRangeFromStr); if (excludeByteRangeToStr != null) excludeByteRangeTo = new BigDecimal(excludeByteRangeToStr); - + return factory.createCMSDataObject(metaInfo, content, excludeByteRangeFrom, excludeByteRangeTo); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 0e5faf790..aca6f5895 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -311,6 +311,12 @@ public class CMSSignatureVerificationInvoker { ByteArrayOutputStream contentOs = new ByteArrayOutputStream(); + CMSDataObject dataobject = request.getDataObject(); + BigDecimal from = dataobject.getExcludeByteRangeFrom(); + BigDecimal to = dataobject.getExcludeByteRangeTo(); + + if ( (from == null) || (to == null)) + return contentIs; BigDecimal counter = new BigDecimal("0"); BigDecimal one = new BigDecimal("1"); @@ -318,7 +324,7 @@ public class CMSSignatureVerificationInvoker { try { while ((byteRead=contentIs.read()) >= 0) { - if (inRange(counter, request.getDataObject())) { + if (inRange(counter, dataobject)) { // if byte is in byte range, set byte to 0x00 contentOs.write(0); } -- cgit v1.2.3 From 6cc5cd2311c9e6cde062fa4034444969f9c293e0 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Sun, 9 Mar 2014 21:04:57 +0100 Subject: POMs added to dependencies maven-assembly-plugin version set to 2.2-beta-1 (for MOA-SPSS) Update TSL parts --- .../server/config/ConfigurationPartsBuilder.java | 24 ++++++++++++++++++---- .../spss/server/config/ConfigurationProvider.java | 5 +++-- 2 files changed, 23 insertions(+), 6 deletions(-) (limited to 'spss/server/serverlib/src') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 0908d88c9..287d8225b 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -1385,6 +1385,22 @@ public class ConfigurationPartsBuilder { Logger.warn(new LogMsg(txt)); warnings.add(txt); } + + /** + * Log a warning. + * + * @param messageId The message ID. + * @param args Additional parameters for the message. + * @see at.gv.egovernment.moa.spss.server.util.MessageProvider + */ + private void debug(String messageId, Object[] args) { + MessageProvider msg = MessageProvider.getInstance(); + String txt = msg.getMessage(messageId, args); + + Logger.debug(new LogMsg(txt)); + + } + /** * Log a debug message. @@ -1581,27 +1597,27 @@ public class ConfigurationPartsBuilder { String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); if (StringUtils.isEmpty(euTSLUrl)) { euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL; - warn("config.39", new Object[] { "EUTSL", euTSLUrl }); + debug("config.39", new Object[] { "EUTSL", euTSLUrl }); } String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null); if (StringUtils.isEmpty(updateSchedulePeriod)) { updateSchedulePeriod = TSLConfiguration.DEFAULT_UPDATE_SCHEDULE_PERIOD; - warn("config.39", new Object[] { "UpdateSchedule/Period", updateSchedulePeriod }); + debug("config.39", new Object[] { "UpdateSchedule/Period", updateSchedulePeriod }); } String updateScheduleStartTime = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "StartTime", null); if (StringUtils.isEmpty(updateScheduleStartTime)) { updateScheduleStartTime = TSLConfiguration.DEFAULT_UPDATE_SCHEDULE_STARTTIME; - warn("config.39", new Object[] { "UpdateSchedule/StartTime", updateScheduleStartTime }); + debug("config.39", new Object[] { "UpdateSchedule/StartTime", updateScheduleStartTime }); } String workingDirectoryStr = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "WorkingDirectory", null); if (StringUtils.isEmpty(workingDirectoryStr)) { workingDirectoryStr = TSLConfiguration.DEFAULT_WORKING_DIR; - warn("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr }); + debug("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr }); } // convert update schedule starting time to Date object diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 2cad35763..87a4b50f4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -347,6 +347,8 @@ public class ConfigurationProvider try { builder = new ConfigurationPartsBuilder(configElem, configRoot); + tslconfiguration_ = builder.getTSLConfiguration(); + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -361,8 +363,6 @@ public class ConfigurationProvider keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); - tslconfiguration_ = builder.getTSLConfiguration(); - xadesVersion = builder.getXAdESVersion(); defaultChainingMode = builder.getDefaultChainingMode(); chainingModes = builder.buildChainingModes(); @@ -379,6 +379,7 @@ public class ConfigurationProvider revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); + //check TSL configuration checkTSLConfiguration(); -- cgit v1.2.3 From 403896aef0f9d3c76bbfcf3e970ae7dbc983ffd4 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Mon, 10 Mar 2014 15:48:06 +0100 Subject: Update trustprofiles and certstore Update TSL processing (working directory handling) Update groupId of IAIK dependencies --- .../server/config/ConfigurationPartsBuilder.java | 123 ++++++++++++++++++--- .../spss/server/config/ConfigurationProvider.java | 78 ++++++++++++- .../properties/spss_messages_de.properties | 1 + 3 files changed, 184 insertions(+), 18 deletions(-) (limited to 'spss/server/serverlib/src') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 287d8225b..3d2da8384 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -1267,6 +1267,111 @@ public class ConfigurationPartsBuilder { return trustProfiles; } + /** + * Build the trust profile mapping. + * + * @return The profile ID to profile mapping. + */ + public Map buildTrustProfiles() + { + Map trustProfiles = new HashMap(); + NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); + Element profileElem; + + while ((profileElem = (Element) profileIter.nextNode()) != null) + { + String id = getElementValue(profileElem, CONF + "Id", null); + String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null); + String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null); + + URI trustAnchorsLocURI = null; + try + { + trustAnchorsLocURI = new URI(trustAnchorsLocStr); + if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file + trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr); + } + } + catch (URIException e) { + warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e); + continue; + } + catch (MalformedURLException e) + { + warn("config.15", new Object[] {id}, e); + continue; + } + + File profileDir = new File(trustAnchorsLocURI.getPath()); + if (!profileDir.exists() || !profileDir.isDirectory()) { + warn("config.27", new Object[] { "uri", id }); + continue; + } + + + + if (trustProfiles.containsKey(id)) { + warn("config.04", new Object[] { "TrustProfile", id }); + continue; + } + + URI signerCertsLocURI = null; + if (signerCertsLocStr != null && !"".equals(signerCertsLocStr)) + { + try + { + signerCertsLocURI = new URI(signerCertsLocStr); + if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr); + + File signerCertsDir = new File(signerCertsLocURI.getPath()); + if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) { + warn("config.27", new Object[] { "signerCertsUri", id }); + continue; + } + } + catch (URIException e) { + warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e); + continue; + } + catch (MalformedURLException e) { + warn("config.15", new Object[] {id}, e); + continue; + } + } + + signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; + + TrustProfile profile = null; + + profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, false, null); + + trustProfiles.put(id, profile); + + } + + return trustProfiles; + } + + /** + * checks if a trustprofile with TSL support is enabled + * + * @return true if TSL support is enabled in at least one trustprofile, else false + */ + public boolean checkTrustProfilesTSLenabled() + { + NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); + Element profileElem; + + boolean tslSupportEnabled = false; + while ((profileElem = (Element) profileIter.nextNode()) != null) { + Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); + if (eutslElem != null) //EUTSL element found --> TSL enabled + tslSupportEnabled = true; + } + + return tslSupportEnabled; + } + /** * Returns the location of the certificate store. * @@ -1593,7 +1698,7 @@ public class ConfigurationPartsBuilder { public TSLConfiguration getTSLConfiguration() { TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl(); - + String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); if (StringUtils.isEmpty(euTSLUrl)) { euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL; @@ -1654,24 +1759,12 @@ public class ConfigurationPartsBuilder { return null; } - File hashcache = new File(tslWorkingDir, "hashcache"); - if (!hashcache.exists()) { - hashcache.mkdir(); - } - if (!hashcache.isDirectory()) { - error("config.38", new Object[] { hashcache.getAbsolutePath() }); - return null; - } - - System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); -// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); -// System.out.println("Hashcache: " + hashcachedir); - + debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl); debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod); debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime); debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath()); - debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath()); + // set TSL configuration tslconfiguration.setEuTSLUrl(euTSLUrl); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 87a4b50f4..d67cbf1b4 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -347,7 +347,15 @@ public class ConfigurationProvider try { builder = new ConfigurationPartsBuilder(configElem, configRoot); - tslconfiguration_ = builder.getTSLConfiguration(); + if (builder.checkTrustProfilesTSLenabled()) { + debug("TSL support enabled for at least one trustprofile."); + tslconfiguration_ = builder.getTSLConfiguration(); + trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); + } + else { + tslconfiguration_ = null; + trustProfiles = builder.buildTrustProfiles(); + } digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = @@ -368,7 +376,9 @@ public class ConfigurationProvider chainingModes = builder.buildChainingModes(); useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess(); autoAddCertificates_ = builder.getAutoAddCertificates(); - trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); + //trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); + + distributionPoints = builder.buildDistributionPoints(); enableRevocationChecking_ = builder.getEnableRevocationChecking(); maxRevocationAge_ = builder.getMaxRevocationAge(); @@ -429,7 +439,21 @@ public class ConfigurationProvider } } - private void checkTSLConfiguration() throws ConfigurationException { + private boolean checkTSLenableTrustprofilesExist()throws ConfigurationException { + boolean bTSLEnabledTPExist = false; + Iterator it = trustProfiles.entrySet().iterator(); + while (it.hasNext()) { + Map.Entry pairs = (Map.Entry)it.next(); + TrustProfile tp = (TrustProfile) pairs.getValue(); + if (tp.isTSLEnabled()) + bTSLEnabledTPExist = bTSLEnabledTPExist || true; + } + + return bTSLEnabledTPExist; + + } + + private void checkTSLConfiguration() throws ConfigurationException { boolean bTSLEnabledTPExist = false; Iterator it = trustProfiles.entrySet().iterator(); while (it.hasNext()) { @@ -450,6 +474,43 @@ public class ConfigurationProvider throw new ConfigurationException("config.40", null); } + File workingDir = new File(tslconfiguration_.getWorkingDirectory()); + File eu_trust = new File(workingDir.getAbsolutePath() + "/trust/eu"); + if (!eu_trust.exists()) { + error("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"}); + throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" existiert nicht"}); + } + else { + File[] eutrustFiles = eu_trust.listFiles(); + if (eutrustFiles == null) { + error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); + throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); + } + else { + if (eutrustFiles.length == 0) { + error("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); + throw new ConfigurationException("config.51", new Object[] {"Verzeichnis \"trust/eu\" ist leer"}); + } + } + + } + + File hashcache = new File(tslconfiguration_.getWorkingDirectory(), "hashcache"); + if (!hashcache.exists()) { + hashcache.mkdir(); + } + if (!hashcache.isDirectory()) { + error("config.38", new Object[] { hashcache.getAbsolutePath() }); + return; + } + + System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); +// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +// System.out.println("Hashcache: " + hashcachedir); + + + Logger.debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath()); + } @@ -760,6 +821,17 @@ public class ConfigurationProvider Logger.info(new LogMsg(msg.getMessage(messageId, parameters))); } + /** + * Log a debug message. + * + * @param messageId The message ID. + * @param parameters Additional parameters for the message. + * @see at.gv.egovernment.moa.spss.server.util.MessageProvider + */ + private static void debug(String message) { + Logger.debug(message); + } + /** * Log a warning. * diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index e4ee607c0..9e2e0e490 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -159,6 +159,7 @@ config.46=Start periodical TSL update task at {0} and then every {1} millisecond config.48=No whitelisted URIs given. config.49=Whitelisted URI: {0}. config.50=Fehler beim Erstellen des TSL Vertrauensprofils: Das Verzeichnis ({0}) ist kein Verzeichnis. +config.51=Fehler beim Erstellen der TSL Konfiguration: TSL-Arbeitsverzeichnis ist fehlerhaft ({0}). handler.00=Starte neue Transaktion: TID={0}, Service={1} handler.01=Aufruf von Adresse={0} -- cgit v1.2.3 From 51a43cf305020f780c52cfe1d70e793be9391f16 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Mon, 17 Mar 2014 21:13:42 +0100 Subject: Update to version 2.0.0 (pom, handbook, etc.) Handbook usage updated (TSL example added) Update TSL handling --- .../moa/spss/tsl/connector/TSLConnector.java | 1 + .../moa/spss/tsl/timer/TSLUpdaterTimerTask.java | 46 +-- .../spss/tsl/utils/TSLImportFromFileContext.java | 343 ++++++++++++--------- 3 files changed, 230 insertions(+), 160 deletions(-) (limited to 'spss/server/serverlib/src') diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 07da0a998..3a004a81d 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.spss.tsl.connector; import iaik.asn1.ObjectID; + import iaik.util._; import iaik.util.logging._l; import iaik.utils.RFC2253NameParser; diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index 5456701c0..e06abe44d 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -46,7 +46,9 @@ public class TSLUpdaterTimerTask extends TimerTask { public void run() { try { + Logger.info("Start TSL Update"); update(); + Logger.info("Finished TSL Update"); } catch (TSLEngineDiedException e) { MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage("tsl.00", null)), e); @@ -172,33 +174,33 @@ public class TSLUpdaterTimerTask extends TimerTask { // convert ArrayList to X509Certificate[] if (tsl_certs == null) { - Logger.error("No certificates from TSL imported."); - throw new TSLSearchException("No certificates from TSL imported."); + Logger.warn("No certificates from TSL imported."); + //throw new TSLSearchException("No certificates from TSL imported."); } + else { - X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()]; - Iterator itcert = tsl_certs.iterator(); - i = 0; - File f = null; - while(itcert.hasNext()) { - f = (File)itcert.next(); - FileInputStream fis = new FileInputStream(f); - X509Certificate cert = new X509Certificate(fis); - addCertificatesTSL[i] = cert; + X509Certificate[] addCertificatesTSL = new X509Certificate[tsl_certs.size()]; + Iterator itcert = tsl_certs.iterator(); + i = 0; + File f = null; + while(itcert.hasNext()) { + f = (File)itcert.next(); + FileInputStream fis = new FileInputStream(f); + X509Certificate cert = new X509Certificate(fis); + addCertificatesTSL[i] = cert; - i++; - fis.close(); - } + i++; + fis.close(); + } - Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates.")); - storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid); - storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid); + Logger.debug(new LogMsg("Add " + addCertificatesTSL.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificatesTSL, tid); + storeUpdater.addCertificatesToCertStores(addCertificatesTSL, tid); - Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); - storeUpdater.addCertificatesToTrustStores(addCertificates, tid); - storeUpdater.addCertificatesToCertStores(addCertificates, tid); - - + Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); + storeUpdater.addCertificatesToTrustStores(addCertificates, tid); + storeUpdater.addCertificatesToCertStores(addCertificates, tid); + } } } } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java index f0dbd779e..492d10eda 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/utils/TSLImportFromFileContext.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.spss.tsl.utils; import iaik.util.logging._l; + import iaik.util.logging.Log.MultiThreadLoggingGroup; import iaik.utils.RFC2253NameParserException; import iaik.utils.Util; @@ -15,6 +16,7 @@ import iaik.xml.crypto.tsl.TSLOpenURIException; import iaik.xml.crypto.tsl.TSLThreadContext; import iaik.xml.crypto.tsl.ValidationFixupFilter; import iaik.xml.crypto.tsl.ValidationFixupFilter.AttributeValueFixup; +import iaik.xml.crypto.tsl.ValidationFixupFilter.DeleteAttrFixup; import iaik.xml.crypto.tsl.ValidationFixupFilter.ElementStringValueFixup; import iaik.xml.crypto.tsl.ValidationFixupFilter.FixedSaxLevelValidationExcption; import iaik.xml.crypto.tsl.ValidationFixupFilter.Fixup; @@ -97,44 +99,34 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF trustAnchorsWrongOnEuTsl_; public TSLImportFromFileContext( - Countries expectedTerritory, - URL url, - Number otherTslPointerId, - String workingdirectory, - boolean sqlMultithreaded, - boolean throwExceptions, - boolean logExceptions, - boolean throwWarnings, - boolean logWarnings, - boolean nullRedundancies, - String baseuri, - Map > trustAnchorsWrongOnEuTsl, - TSLThreadContext parentContext) { - super( - expectedTerritory, - url, - otherTslPointerId, - workingdirectory, - sqlMultithreaded, - throwExceptions, - logExceptions, - throwWarnings, - logWarnings, - nullRedundancies, - parentContext); - baseuri_ = baseuri; - trustAnchorsWrongOnEuTsl_ = trustAnchorsWrongOnEuTsl; - } - - public List getErrorsAndWarnings() { - List errorsAndWarnings = new ArrayList(); - errorsAndWarnings.addAll(this.fatals_); - errorsAndWarnings.addAll(this.faildTransactions_); - errorsAndWarnings.addAll(this.warnings_); - - return errorsAndWarnings; - } - + Countries expectedTerritory, + URL url, + Number otherTslPointerId, + String workingdirectory, + boolean sqlMultithreaded, + boolean throwExceptions, + boolean logExceptions, + boolean throwWarnings, + boolean logWarnings, + boolean nullRedundancies, + String baseuri, + Map > trustAnchorsWrongOnEuTsl, + TSLThreadContext parentContext) { + super( + expectedTerritory, + url, + otherTslPointerId, + workingdirectory, + sqlMultithreaded, + throwExceptions, + logExceptions, + throwWarnings, + logWarnings, + nullRedundancies, + parentContext); + baseuri_ = baseuri; + trustAnchorsWrongOnEuTsl_ = trustAnchorsWrongOnEuTsl; + } /* (non-Javadoc) * @see iaik.xml.crypto.tsl.TSLImportFromFileContext#getbaseURI() */ @@ -142,67 +134,80 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF public String getbaseURI() { return this.baseuri_; } - + + + + //@Override - protected RuntimeException wrapException(Throwable t, Locator l, Mitigation m) { - return super.wrapException(t, l, m); - } + protected RuntimeException wrapException(Throwable t, Locator l, Mitigation m) { + return super.wrapException(t, l, m); + } @Override - public synchronized void throwException(Throwable e) { + public + synchronized void throwException(Throwable e) { if (e instanceof TSLValidationException) { // we do not throw dom validation errors for testing // and just collect them wrapException(e); - } else if (e instanceof TSLVerificationException) { + + boolean corrected = false; // we do not throw verification errors for testing // and just collect them - if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NO_TSL_SIGNATURE - .getClass().getName(), "true")) - && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NO_TSL_SIGNATURE) { - - //TSL with no signature are ignored!!!! - l.warn("TSL IS NOT SIGNED! " - + this.expectedTerritory_.name() + " TSL ignored."); - } - - if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE - .getClass().getName(), "true")) - && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE) { - ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); - } - - if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE - .getClass().getName(), "true")) - && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE) { - ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); - } - - if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE - .getClass().getName(), "true")) - && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE) { - ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); - } - - if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE - .getClass().getName(), "true")) - && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE) { - ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); - } +// // NEVER DO THIS! unless you want to import TSLs without signatures. +// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NO_TSL_SIGNATURE +// .getClass().getName(), "true")) +// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NO_TSL_SIGNATURE) { +// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); +// } +// +// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE +// .getClass().getName(), "true")) +// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_REFERENCE_IN_TSL_SIGNATURE) { +// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); +// } - wrapException(e); +// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE +// .getClass().getName(), "true")) +// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORMS_IN_TSL_SIGNATURE) { +// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); +// +// corrected = true; +// } +// +// +// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE +// .getClass().getName(), "true")) +// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_TRANSFORM_IN_TSL_SIGNATURE) { +// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); +// +// corrected = true; +// } +// +// if (Boolean.valueOf(_.getSysProperty(TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE +// .getClass().getName(), "true")) +// && ((TSLVerificationException) e).getType() == TSLSecurityException.Type.NON_CONFORMANT_C14N_IN_TSL_SIGNATURE) { +// ((TSLVerificationException) e).setMitigation(Mitigation.IGNORED); +// +// corrected = true; +// } +// +// if (corrected) +// wrapException(e); +// else +// super.throwException(e); + + super.throwException(e); } else if (e instanceof FileNotFoundException) { // we do not stop and continue processing wrapException(e); - } else if (e instanceof IllegalArgumentException) { // we do not stop and continue processing wrapException(e); - } else { // all other errors are treated as per default super.throwException(e); @@ -221,9 +226,6 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF if( e instanceof FixedSaxLevelValidationExcption && enclosingMethod.getDeclaringClass().equals(ValidationFixupFilter.class)){ - - - wrapException(e, ((LocatorAspect) e).getLocator(), new FixedValidationMitigation("Performed SAX Level Fixup.")); @@ -247,7 +249,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF if (parameters[0] instanceof DOMError) { DOMError domError = (DOMError) parameters[0]; - l.info(""+domError.getRelatedData()); + _l.warn(""+domError.getRelatedData()); // domError.getRelatedData().getClass().getField("") @@ -308,6 +310,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF } }); return mitigatedResult; + } } @@ -378,11 +381,43 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF } } - l.error("Ignoring download error using old: " + parameters[0], null); + _l.err("Ignoring download error using old: " + parameters[0], null); wrapException(e); return parameters[1]; } +// if ( +// expectedTerritory_ == Countries.PL &&( +// (e.getCause() instanceof java.io.EOFException || +// e.getCause() instanceof iaik.security.ssl.SSLException) && +// parameters[0] instanceof URL && +// ((URL)parameters[0]).getProtocol().equalsIgnoreCase("https") +// )){ +// File f = null; +// System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true"); +// TLS.register("TLSv1"); +// try { +// f = (File) enclosingMethod.invoke(thisObject, parameters); +// } catch (IllegalAccessException e1) { +// wrapException(e1); +// } catch (InvocationTargetException e1) { +// wrapException(e1); +// } +// +// // System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", null); +// TLS.register(); +// +// if (f != null){ +// wrapException(e, null, new Mitigation() { +// @Override +// public String getReport() { +// return "Trying TLSv1 and sun.security.ssl.allowUnsafeRenegotiation=true"; +// } +// }); +// return f; +// } +// } + if ( e instanceof TSLSecurityException && enclosingMethod.getDeclaringClass().equals(TSLContext.class) && @@ -406,14 +441,14 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF wrapException(e1); } wrapException(e, getLocator(), - new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation(){ - @Override - public String getReport() { - return "make an exception for " + expectedTerritory_ + " who have the wrong certificate in " + - "the EU TSL and allow the certificate " + - parameters[1]; - } - }); + new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation(){ + @Override + public String getReport() { + return "make an exception for " + expectedTerritory_ + " who have the wrong certificate in " + + "the EU TSL and allow the certificate " + + parameters[1]; + } + }); return null; } X509Certificate crt = (X509Certificate)parameters[1]; @@ -530,47 +565,45 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF } } -// //TODO: CONSIDER, IF WE REALLY WANT THIS PART OF CODE! -// //ugly hack to accept a certificate which uses a crazy X509SubjectName!! -// if ( expectedTerritory_ == Countries.DK && -// e instanceof KeySelectorException && -// parameters[0] instanceof X509DataImpl){ -// if (e.getMessage().equals("KeyInfo X509SubjectName (CN=Adam Arndt Digst,serialNumber=CVR:34051178-RID:25902029,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) does not match SubjectDN (serialNumber=CVR:34051178-RID:25902029+CN=Adam Arndt Digst,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) of KeyInfo X509Certificate.\n"+ -// "Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key.")) { -// -// X509DataImpl x509DataImpl = (X509DataImpl) parameters[0]; -// -// Node child = x509DataImpl.getNode().getFirstChild().getNextSibling(); -// Node child1 = x509DataImpl.getNode().getFirstChild(); -// -// x509DataImpl.getNode().removeChild(child); -// x509DataImpl.getNode().removeChild(child1); -// -// -// parameters[0] = (X509Data) x509DataImpl -// -// Object mitigatedResult = null; -// try { -// -// mitigatedResult = enclosingMethod.invoke(thisObject, parameters); -// } catch (IllegalAccessException e1) { -// wrapException(e1); -// } catch (InvocationTargetException e1) { -// wrapException(e1); -// } -// -// if (mitigatedResult != null){ -// wrapException(e, null, new Mitigation(null) { -// @Override -// public String getReport() { -// return "Deleted wrong X509SubjectName from XMLDSIG Signature."; -// } -// }); -// return mitigatedResult; -// } -// } -// } - + if ( expectedTerritory_ == Countries.DK && + e instanceof KeySelectorException && + parameters[0] instanceof X509DataImpl){ + if (e.getMessage().equals("KeyInfo X509SubjectName (CN=Adam Arndt Digst,serialNumber=CVR:34051178-RID:25902029,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) does not match SubjectDN (serialNumber=CVR:34051178-RID:25902029+CN=Adam Arndt Digst,O=Digitaliseringsstyrelsen // CVR:34051178,C=DK) of KeyInfo X509Certificate.\n"+ + "Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear MUST refer to the certificate or certificates containing the validation key.")) { + + X509DataImpl x509DataImpl = (X509DataImpl) parameters[0]; + + ListIterator li = x509DataImpl.getContent().listIterator(); + li.next(); + String sn = (String) li.next(); + + _l.err(sn, null); + + System.exit(1); + + Object mitigatedResult = null; + try { + + mitigatedResult = enclosingMethod.invoke(thisObject, parameters); + } catch (IllegalAccessException e1) { + wrapException(e1); + } catch (InvocationTargetException e1) { + wrapException(e1); + } + + if (mitigatedResult != null){ + wrapException(e, null, new iaik.xml.crypto.tsl.ex.SeverityAspect.Mitigation() { + @Override + public String getReport() { + return "Deleted wrong X509SubjectName from XMLDSIG Signature."; + } + }); + return mitigatedResult; + + } + } + } + } else { if (e instanceof MitigatedTSLSecurityException){ @@ -578,7 +611,6 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF // and collect them wrapException(e); return null; - } else if (e instanceof FixedSaxLevelValidationExcption) { // we allow to mitigate Sax Level Fixup for testing // and collect them @@ -607,7 +639,11 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF if(expectedTerritory_ == Countries.EL){ //fix the whitespace in Greece TSL status = status.trim(); - } + } + if (status != null && status.startsWith("http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/")) { + status = status.substring("http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/".length()); + } + return super.compressStatus(status); } @@ -625,6 +661,37 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF @Override public iaik.xml.crypto.tsl.ValidationFixupFilter.Fixup getSaxLevelValidationFixup(SAXParseException e) { + if (expectedTerritory_ == Countries.AT){ + if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){ + return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this); + } + } + + if (expectedTerritory_ == Countries.CZ){ + if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){ + return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this); + } + } + + if (expectedTerritory_ == Countries.FR){ + if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){ + return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this); + } + } + + if (expectedTerritory_ == Countries.NO){ + if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){ + return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this); + } + } + + if (expectedTerritory_ == Countries.SK){ + if (e.getMessage().equals("cvc-type.3.1.1: Element 'tsl:URI' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'xml:lang' was found.")){ + return new DeleteAttrFixup("http://www.w3.org/XML/1998/namespace","lang", e, this); + } + } + + if (expectedTerritory_ == Countries.ES && getDownloadLocation().toString().contains(".es/")){ if (e.getMessage().equals("cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'tslx:CertSubjectDNAttributeType'.")){ return new LocalNameFixup("CertSubjectDNAttributeType","CertSubjectDNAttribute",e, this); @@ -734,7 +801,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF String msg = e.getMessage(); - l.info(msg); + _l.info(msg); return( msg.startsWith("["+SQLiteErrorCode.SQLITE_CONSTRAINT.name()+"]") && msg.contains("column " + DbTables.TSLDownload.C.rawHash + " is not unique") @@ -748,7 +815,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF @Override protected long howLongWaitForThreads() { // TODO Auto-generated method stub - return 10000; + return 100000; } @Override @@ -768,7 +835,7 @@ public class TSLImportFromFileContext extends iaik.xml.crypto.tsl.TSLImportFromF synchronized (log) { parentContext_.print("<" + ncName + " state=\"" + currentThread.getState() + "\" " + " id=\"" + currentThread.getId() + "\">\n" + log.toString() + "\n"); + + ncName + ">" + _.LB); parentContext_.flushLog(); log.setLength(0); } -- cgit v1.2.3