From a52d3300d20837b12b45a0d4fb2b0ee520f6e641 Mon Sep 17 00:00:00 2001 From: Klaus Stranacher Date: Wed, 14 Aug 2013 16:36:40 +0200 Subject: TSL integration updates: - Setting of hashcache parameter in MOA - Update MOA-SP Response (Source attribute in QualifiedCertificate and SecureSignatureCreationDevice element) - Hidden truststores (for TSL enabled truststore: given certificates are copied to hidden truststore, where TSL certificates are copied) - Update of QC and SSCD detection - Update MOA-SPSS config: EU TSL URL can be set via configuration --- .../.settings/org.eclipse.wst.common.component | 1 - .../org.eclipse.wst.common.project.facet.core.xml | 4 +- .../gv/egovernment/moa/spss/api/SPSSFactory.java | 8 +- .../moa/spss/api/common/SignerInfo.java | 11 ++ .../moa/spss/api/common/TSLConfiguration.java | 7 ++ .../moa/spss/api/impl/SPSSFactoryImpl.java | 6 +- .../moa/spss/api/impl/SignerInfoImpl.java | 31 +++++- .../moa/spss/api/impl/TSLConfigurationImpl.java | 23 +++- .../moa/spss/api/xmlbind/ResponseBuilderUtils.java | 6 +- .../xmlbind/VerifyCMSSignatureResponseBuilder.java | 5 +- .../xmlbind/VerifyXMLSignatureResponseBuilder.java | 4 +- .../server/config/ConfigurationPartsBuilder.java | 91 ++++++++++++++-- .../spss/server/config/ConfigurationProvider.java | 6 +- .../moa/spss/server/config/TrustProfile.java | 29 +++--- .../moa/spss/server/init/SystemInitializer.java | 8 +- .../invoke/CMSSignatureVerificationInvoker.java | 116 +++++++++++++++++++-- .../invoke/VerifyCMSSignatureResponseBuilder.java | 27 ++--- .../invoke/VerifyXMLSignatureResponseBuilder.java | 30 +++--- .../invoke/XMLSignatureVerificationInvoker.java | 65 ++++++++++-- .../moa/spss/tsl/connector/TSLConnector.java | 27 +++-- .../moa/spss/tsl/timer/TSLUpdaterTimerTask.java | 26 +++-- .../properties/spss_messages_de.properties | 1 + 22 files changed, 416 insertions(+), 116 deletions(-) (limited to 'spss/server/serverlib') diff --git a/spss/server/serverlib/.settings/org.eclipse.wst.common.component b/spss/server/serverlib/.settings/org.eclipse.wst.common.component index 7170b56ac..ee24ef8ba 100644 --- a/spss/server/serverlib/.settings/org.eclipse.wst.common.component +++ b/spss/server/serverlib/.settings/org.eclipse.wst.common.component @@ -2,6 +2,5 @@ - diff --git a/spss/server/serverlib/.settings/org.eclipse.wst.common.project.facet.core.xml b/spss/server/serverlib/.settings/org.eclipse.wst.common.project.facet.core.xml index 69dc9cc0f..656f15b87 100644 --- a/spss/server/serverlib/.settings/org.eclipse.wst.common.project.facet.core.xml +++ b/spss/server/serverlib/.settings/org.eclipse.wst.common.project.facet.core.xml @@ -3,5 +3,5 @@ - - + + \ No newline at end of file diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index 26cce1a82..80f996b36 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -1090,6 +1090,8 @@ public abstract class SPSSFactory { * @param signerCertificate The signer certificate in binary form. * @param qualifiedCertificate true, if the signer certificate is * a qualified certificate, otherwise false. + * @param qcSourceTSL true, if the QC information comes from the TSL, + * otherwise false. * @param publicAuthority true, if the signer certificate is a * public authority certificate, otherwise false. * @param publicAuthorityID The identification of the public authority @@ -1097,6 +1099,8 @@ public abstract class SPSSFactory { * null. * @param sscd true, if the TSL check verifies the * signature based on a SSDC, otherwise false. + * @param sscdSourceTSL true, if the SSCD information comes from the TSL, + * otherwise false. * @return The SignerInfo containing the above data. * * @pre signerCertSubjectName != null @@ -1106,9 +1110,11 @@ public abstract class SPSSFactory { public abstract SignerInfo createSignerInfo( X509Certificate signerCertificate, boolean qualifiedCertificate, + boolean qcSourceTSL, boolean publicAuthority, String publicAuthorityID, - boolean sscd); + boolean sscd, + boolean sscdSourceTSL); /** * Create a new X509IssuerSerial object. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java index 7a1942214..337f775bf 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/SignerInfo.java @@ -58,6 +58,17 @@ public interface SignerInfo { */ public boolean isSSCD(); + /** + * Returns the source of the SSCD check (TSL or Certificate) * + */ + public String getSSCDSource(); + + /** + * Returns the source of the QC check (TSL or Certificate) * + */ + public String getQCSource(); + + /** * Checks, whether the certificate contained in this object is a * public authority certificate. diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java index fd7d38217..29529322c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/common/TSLConfiguration.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.spss.api.common; +import iaik.ixsil.util.URI; + import java.util.Date; @@ -70,5 +72,10 @@ public interface TSLConfiguration { */ public String getWorkingDirectory(); + /** + * + * @return + */ + public URI getWorkingDirectoryAsURI(); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java index 7c1208e8f..74f65cb70 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java @@ -622,15 +622,19 @@ public class SPSSFactoryImpl extends SPSSFactory { public SignerInfo createSignerInfo( X509Certificate signerCertificate, boolean qualifiedCertificate, + boolean qcSourceTSL, boolean publicAuthority, String publicAuthorityID, - boolean sscd) { + boolean sscd, + boolean sscdSourceTSL) { SignerInfoImpl signerInfo = new SignerInfoImpl(); signerInfo.setSignerCertificate(signerCertificate); signerInfo.setQualifiedCertificate(qualifiedCertificate); + signerInfo.setQCSourceTSL(qcSourceTSL); signerInfo.setPublicAuthority(publicAuthority); signerInfo.setPublicAuhtorityID(publicAuthorityID); signerInfo.setSSCD(sscd); + signerInfo.setSSCDSourceTSL(sscdSourceTSL); return signerInfo; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java index 56a9004fc..5d26397c5 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SignerInfoImpl.java @@ -49,6 +49,13 @@ public class SignerInfoImpl implements SignerInfo { /** Determines, whether the signature is based on an SSCD */ private boolean sscd; + + /** Determines, if the SSCD check bases upon on TSL */ + private boolean sscdSourceTSL; + + /** Determines, if the QC check bases upon on TSL */ + private boolean qcSourceTSL; + /** * Sets the signer certificate. * @@ -87,7 +94,29 @@ public class SignerInfoImpl implements SignerInfo { } public boolean isSSCD() { return sscd; - } + } + + public void setSSCDSourceTSL(boolean sscdSourceTSL) { + this.sscdSourceTSL = sscdSourceTSL; + } + + public String getSSCDSource() { + if (sscdSourceTSL) + return "TSL"; + else + return "Certificate"; + } + + public void setQCSourceTSL(boolean qcSourceTSL) { + this.qcSourceTSL = qcSourceTSL; + } + + public String getQCSource() { + if (qcSourceTSL) + return "TSL"; + else + return "Certificate"; + } /** * Sets, whether the certificate contained in this object is an diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java index 15d66614e..87314e1f7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/impl/TSLConfigurationImpl.java @@ -24,6 +24,8 @@ package at.gv.egovernment.moa.spss.api.impl; +import iaik.ixsil.util.URI; + import java.util.Date; import at.gv.egovernment.moa.spss.api.common.TSLConfiguration; @@ -38,7 +40,7 @@ public class TSLConfigurationImpl implements TSLConfiguration { /** The EU TSL URL. */ -// private String euTSLUrl; + private String euTSLUrl; /** update period in milliseconds */ private long updateSchedulePeriod; @@ -48,9 +50,12 @@ public class TSLConfigurationImpl implements TSLConfiguration { /** Working directory */ private String workingDirectory; + + /** Working directory */ + private URI workingDirectoryAsURI; public String getEuTSLUrl() { - return this.DEFAULT_EU_TSL_URL; + return this.euTSLUrl; } public long getUpdateSchedulePeriod() { @@ -64,10 +69,14 @@ public class TSLConfigurationImpl implements TSLConfiguration { public String getWorkingDirectory() { return this.workingDirectory; } + + public URI getWorkingDirectoryAsURI() { + return this.workingDirectoryAsURI; + } -// public void setEuTSLUrl(String euTSLUrl) { -// this.euTSLUrl = euTSLUrl; -// } + public void setEuTSLUrl(String euTSLUrl) { + this.euTSLUrl = euTSLUrl; + } public void setUpdateSchedulePeriod(long updateSchedulePeriod) { this.updateSchedulePeriod = updateSchedulePeriod; @@ -80,6 +89,10 @@ public class TSLConfigurationImpl implements TSLConfiguration { public void setWorkingDirectory(String workingDirectory) { this.workingDirectory = workingDirectory; } + + public void setWorkingDirectoryURI(URI workingDirectoryAsURI) { + this.workingDirectoryAsURI = workingDirectoryAsURI; + } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index a228a0db8..505303bc1 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -117,9 +117,11 @@ class ResponseBuilderUtils { Element root, X509Certificate cert, boolean isQualified, + String qcSource, boolean isPublicAuthority, String publicAuthorityID, - boolean isSSCD) + boolean isSSCD, + String sscdSource) throws MOAApplicationException { Element signerInfoElem = response.createElementNS(MOA_NS_URI, "SignerInfo"); @@ -182,6 +184,7 @@ class ResponseBuilderUtils { x509DataElem.appendChild(x509IssuerSerialElem); x509DataElem.appendChild(x509CertificateElem); if (isQualified) { + qualifiedCertificateElem.setAttributeNS(MOA_NS_URI, "Source", qcSource); x509DataElem.appendChild(qualifiedCertificateElem); } if (isPublicAuthority) { @@ -192,6 +195,7 @@ class ResponseBuilderUtils { } } if (isSSCD) { + sscdElem.setAttributeNS(MOA_NS_URI, "Source", sscdSource); x509DataElem.appendChild(sscdElem); } signerInfoElem.appendChild(x509DataElem); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java index 7ad838822..238875351 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureResponseBuilder.java @@ -99,14 +99,17 @@ public class VerifyCMSSignatureResponseBuilder { CheckResult signatureCheck = responseElement.getSignatureCheck(); CheckResult certCheck = responseElement.getCertificateCheck(); + //TODO ResponseBuilderUtils.addSignerInfo( responseDoc, responseElem, signerInfo.getSignerCertificate(), signerInfo.isQualifiedCertificate(), + signerInfo.getQCSource(), signerInfo.isPublicAuthority(), signerInfo.getPublicAuhtorityID(), - signerInfo.isSSCD()); + signerInfo.isSSCD(), + signerInfo.getSSCDSource()); ResponseBuilderUtils.addCodeInfoElement( responseDoc, diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java index 0d3e0c18e..8673fba1c 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java @@ -96,9 +96,11 @@ public class VerifyXMLSignatureResponseBuilder { responseElem, response.getSignerInfo().getSignerCertificate(), response.getSignerInfo().isQualifiedCertificate(), + response.getSignerInfo().getQCSource(), response.getSignerInfo().isPublicAuthority(), response.getSignerInfo().getPublicAuhtorityID(), - response.getSignerInfo().isSSCD()); + response.getSignerInfo().isSSCD(), + response.getSignerInfo().getSSCDSource()); // add HashInputData elements responseData = response.getHashInputDatas(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 2dcffa014..d2ee75116 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -67,6 +67,7 @@ import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; import at.gv.egovernment.moa.util.XPathUtils; @@ -1135,11 +1136,11 @@ public class ConfigurationPartsBuilder { } /** - * Bulid the trust profile mapping. + * Build the trust profile mapping. * * @return The profile ID to profile mapping. */ - public Map buildTrustProfiles() + public Map buildTrustProfiles(String tslWorkingDir) { Map trustProfiles = new HashMap(); NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); @@ -1213,8 +1214,62 @@ public class ConfigurationPartsBuilder { } signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; - TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); + + TrustProfile profile = null; + + if (tslEnabled) { + // create new trust anchor location (=tslworking trust profile) + File fTslWorkingDir = new File(tslWorkingDir); + File tp = new File(fTslWorkingDir, "trustprofiles"); + if (!tp.exists()) + tp.mkdir(); + if (!tp.isDirectory()) { + error("config.50", new Object[] { tp.getPath() }); + // TODO? + } + + File tpid = new File(tp, id); + if (!tpid.exists()) + tpid.mkdir(); + if (!tpid.isDirectory()) { + error("config.50", new Object[] { tpid.getPath() }); + // TODO? + } + + + //System.out.println("tps: " + tpid.getAbsolutePath()); + + // create profile + profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries); + + // set original uri (save original trust anchor location) + profile.setUriOrig(trustAnchorsLocURI.getPath()); + + // delete files in tslworking trust profile + File[] files = tpid.listFiles(); + for (File file : files) + file.delete(); + + // copy files from trustAnchorsLocURI into tslworking trust profile kopieren + File src = new File(trustAnchorsLocURI.getPath()); + files = src.listFiles(); + for (File file : files) { + FileUtils.copyFile(file, new File(tpid, file.getName())); + } + +// System.out.println("ID: " + id); +// System.out.println("Str: " + trustAnchorsLocStr); +// System.out.println("URI: " + trustAnchorsLocURI.toString()); +// System.out.println("tslWorkingDir: " + tslWorkingDir); + + } else { + + profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); + + } + trustProfiles.put(id, profile); + } return trustProfiles; @@ -1531,11 +1586,11 @@ public class ConfigurationPartsBuilder { TSLConfigurationImpl tslconfiguration = new TSLConfigurationImpl(); -// String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); -// if (StringUtils.isEmpty(euTSLUrl)) { -// warn("config.39", new Object[] { "EUTSL", euTSLUrl }); -// return null; -// } + String euTSLUrl = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "EUTSLUrl", null); + if (StringUtils.isEmpty(euTSLUrl)) { + euTSLUrl = TSLConfiguration.DEFAULT_EU_TSL_URL; + warn("config.39", new Object[] { "EUTSL", euTSLUrl }); + } String updateSchedulePeriod = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "UpdateSchedule/" + CONF + "Period" , null); @@ -1591,17 +1646,31 @@ public class ConfigurationPartsBuilder { return null; } + File hashcache = new File(tslWorkingDir, "hashcache"); + if (!hashcache.exists()) { + hashcache.mkdir(); + } + if (!hashcache.isDirectory()) { + error("config.38", new Object[] { hashcache.getAbsolutePath() }); + return null; + } + + System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); +// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +// System.out.println("Hashcache: " + hashcachedir); + + debug("TSL Konfiguration - EUTSLUrl: " + euTSLUrl); debug("TSL Konfiguration - UpdateSchedule/Period: " + updateSchedulePeriod); debug("TSL Konfiguration - UpdateSchedule/StartTime: " + updateScheduleStartTime); debug("TSL Konfiguration - TSLWorkingDirectory: " + tslWorkingDir.getAbsolutePath()); + debug("TSL Konfiguration - Hashcache: " + hashcache.getAbsolutePath()); // set TSL configuration - //tslconfiguration.setEuTSLUrl(euTSLUrl); + tslconfiguration.setEuTSLUrl(euTSLUrl); tslconfiguration.setUpdateSchedulePeriod(Long.valueOf(updateSchedulePeriod).longValue()); tslconfiguration.setUpdateScheduleStartTime(updateScheduleStartTimeDate); tslconfiguration.setWorkingDirectory(tslWorkingDir.getAbsolutePath()); - - + tslconfiguration.setWorkingDirectoryURI(workingDirectoryURI); return tslconfiguration; } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 08478b717..2cad35763 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -361,12 +361,14 @@ public class ConfigurationProvider keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); + tslconfiguration_ = builder.getTSLConfiguration(); + xadesVersion = builder.getXAdESVersion(); defaultChainingMode = builder.getDefaultChainingMode(); chainingModes = builder.buildChainingModes(); useAuthorityInfoAccess_ = builder.getUseAuthorityInfoAccess(); autoAddCertificates_ = builder.getAutoAddCertificates(); - trustProfiles = builder.buildTrustProfiles(); + trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); distributionPoints = builder.buildDistributionPoints(); enableRevocationChecking_ = builder.getEnableRevocationChecking(); maxRevocationAge_ = builder.getMaxRevocationAge(); @@ -376,7 +378,7 @@ public class ConfigurationProvider revocationArchiveJDBCURL_ = builder.getRevocationArchiveJDBCURL(); revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); - tslconfiguration_ = builder.getTSLConfiguration(); + //check TSL configuration checkTSLConfiguration(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 1b5f4473d..21063c77f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -41,6 +41,8 @@ public class TrustProfile { private String signerCertsUri; /** Defines if Trustprofile makes use of EU TSL*/ private boolean tslEnabled; + /** The original URI (out of the configuration) giving the location of the trust profile (used when TSL is enabled) */ + private String uriOrig; /** The countries given */ private String countries; /** */ @@ -80,6 +82,15 @@ public class TrustProfile { public String getUri() { return uri; } + + /** + * Return the original URI of this TrustProfile. + * + * @return The original URI of TrustProfile. + */ + public String getUriOrig() { + return uriOrig; + } /** * Return the URI giving the location of the allowed signer certificates @@ -108,20 +119,14 @@ public class TrustProfile { return countries; } + /** - * Return the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update - * @return The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update + * Sets the original URI of this TrustProfile. + * + * @return The original URI of TrustProfile. */ - public X509Certificate[] getCertficatesToBeRemoved() { - return certificatesToBeRemoved; + public void setUriOrig(String uriOrig) { + this.uriOrig = uriOrig; } - /** - * Sets the old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update - * @param certificates The old certificates (from previous TSL update) to be removed from the truststore before performing a new TSL update - */ - public void setCertificatesToBeRemoved(X509Certificate[] certificates) { - this.certificatesToBeRemoved = new X509Certificate[certificates.length]; - this.certificatesToBeRemoved = certificates; - } } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index c9b76dd7e..3640dc23f 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -31,15 +31,12 @@ import iaik.server.ConfigurationData; import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; import iaik.xml.crypto.tsl.ex.TSLSearchException; -import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.security.cert.CertificateException; -import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.GregorianCalendar; -import java.util.Iterator; import java.util.Timer; import at.gv.egovernment.moa.logging.LogMsg; @@ -125,6 +122,7 @@ public class SystemInitializer { //initialize TSL module TSLConfiguration tslconfig = config.getTSLConfiguration(); + TSLConnector tslconnector = new TSLConnector(); if (tslconfig != null) { //Logger.info(new LogMsg(msg.getMessage("init.01", null))); @@ -133,10 +131,14 @@ public class SystemInitializer { } +// System.out.println("Hashcache 1: " + BinaryHashCache.DIR); + //start TSL Update TSLUpdaterTimerTask.tslconnector_ = tslconnector; TSLUpdaterTimerTask.update(); +// System.out.println("Hashcache 2: " + BinaryHashCache.DIR); + //initialize TSL Update Task initTSLUpdateTask(tslconfig); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 00f96f205..6aa34573e 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -58,6 +58,7 @@ import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; +import at.gv.egovernment.moa.spss.util.CertificateUtils; import at.gv.egovernment.moa.spss.util.MessageProvider; /** @@ -191,12 +192,61 @@ public class CMSSignatureVerificationInvoker { for (resultIter = results.iterator(); resultIter.hasNext();) { result = (CMSSignatureVerificationResult) resultIter.next(); + boolean sscdSourceTSL = false; + boolean qcSourceTSL = false; + boolean checkQC = false; + boolean checkSSCD = false; + + List chain = result.getCertificateValidationResult().getCertificateChain(); // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; + boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain); + boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain); + + if (!checkSSCDFromTSL) { + + boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0)); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0)); + + if (checkQCPPlus) + checkSSCD = true; + if (checkQcEuSSCD) + checkSSCD = true; + + sscdSourceTSL = false; + + System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); + System.out.println("checkQCPPlus: " + checkQCPPlus); + System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); + } + else { + checkSSCD = true; + sscdSourceTSL = true; + } + + if (!checkQCFromTSL) { + + boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0)); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0)); + + if (checkQCP) + checkQC = true; + if (checkQcEuCompliance) + checkQC = true; + + qcSourceTSL = false; + + System.out.println("checkQCFromTSL: " + checkQCFromTSL); + System.out.println("checkQCP: " + checkQCP); + System.out.println("checkQcEuCompliance: " + checkQcEuCompliance); + } + else { + checkQC = true; + qcSourceTSL = true; + } + - responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); + responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL); } } else { int i; @@ -207,12 +257,64 @@ public class CMSSignatureVerificationInvoker { try { result = (CMSSignatureVerificationResult) results.get(signatories[i] - 1); + boolean sscdSourceTSL = false; + boolean qcSourceTSL = false; + + boolean checkQC = false; + boolean checkSSCD = false; + + List chain = result.getCertificateValidationResult().getCertificateChain(); // check QC and SSCD via TSL (if enabled) - boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain()); - boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), result.getCertificateValidationResult().getCertificateChain());; + boolean checkQCFromTSL = checkQC(trustProfile.isTSLEnabled(), chain); + boolean checkSSCDFromTSL = checkSSCD(trustProfile.isTSLEnabled(), chain); + + if (!checkSSCDFromTSL) { + + boolean checkQCPPlus = CertificateUtils.checkQCPPlus((X509Certificate)chain.get(0)); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD((X509Certificate)chain.get(0)); + + if (checkQCPPlus) + checkSSCD = true; + if (checkQcEuSSCD) + checkSSCD = true; + + sscdSourceTSL = false; + + System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); + System.out.println("checkQCPPlus: " + checkQCPPlus); + System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); + } + else { + checkSSCD = true; + sscdSourceTSL = true; + } + + if (!checkQCFromTSL) { + + boolean checkQCP = CertificateUtils.checkQCP((X509Certificate)chain.get(0)); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance((X509Certificate)chain.get(0)); + + if (checkQCP) + checkQC = true; + if (checkQcEuCompliance) + checkQC = true; + + qcSourceTSL = false; + + System.out.println("checkQCFromTSL: " + checkQCFromTSL); + System.out.println("checkQCP: " + checkQCP); + System.out.println("checkQcEuCompliance: " + checkQcEuCompliance); - - responseBuilder.addResult(result, trustProfile, checkQCFromTSL, checkSSCDFromTSL); + } + else { + checkQC = true; + qcSourceTSL = true; + } + + + + + responseBuilder.addResult(result, trustProfile, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL); } catch (IndexOutOfBoundsException e) { throw new MOAApplicationException( "2249", diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 605716d5b..f44cce62a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -73,13 +73,14 @@ public class VerifyCMSSignatureResponseBuilder { * @param trustprofile The actual trustprofile * @param checkQCFromTSL true, if the TSL check verifies the * certificate as qualified, otherwise false. - * @param checkSSCDFromTSL true, if the TSL check verifies the + * @param checkSSCD true, if the TSL check verifies the * signature based on a SSDC, otherwise false. + * @param sscdSourceTSL true, if the SSCD information comes from the TSL, + * otherwise false. * @throws MOAException */ - public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQCFromTSL, boolean checkSSCDFromTSL) + public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL) throws MOAException { - CertificateValidationResult certResult = result.getCertificateValidationResult(); @@ -92,27 +93,18 @@ public class VerifyCMSSignatureResponseBuilder { CheckResult signatureCheck; CheckResult certificateCheck; - boolean qualifiedCertificate = false; - - // verify qualified certificate checks (certificate or TSL) - if (trustProfile.isTSLEnabled()) { - // take TSL result - qualifiedCertificate = checkQCFromTSL; - } - else { - // take result from certificate - qualifiedCertificate = certResult.isQualifiedCertificate(); - } + boolean qualifiedCertificate = checkQC; // add SignerInfo element signerInfo = factory.createSignerInfo( (X509Certificate) certResult.getCertificateChain().get(0), qualifiedCertificate, + qcSourceTSL, certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), - checkSSCDFromTSL); - + checkSSCD, + sscdSourceTSL); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); @@ -120,9 +112,6 @@ public class VerifyCMSSignatureResponseBuilder { // add CertificateCheck element certificateCheck = factory.createCheckResult(certificateCheckCode, null); - - - // build the response element responseElement = factory.createVerifyCMSSignatureResponseElement( diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 755ca82b6..4fdb1eeb7 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -125,10 +125,12 @@ public class VerifyXMLSignatureResponseBuilder { * @param transformsSignatureManifestCheck The overall result for the signature * manifest check. * @param certificateCheck The overall result for the certificate check. - * @param checkQCFromTSL true, if the TSL check verifies the - * certificate as qualified, otherwise false. - * @param checkSSCDFromTSL true, if the TSL check verifies the - * signature based on a SSDC, otherwise false. + * @param checkQC true, if the certificate is QC, otherwise false. + * @param qcSourceTSL true, if the QC information comes from the TSL, + * otherwise false. + * @param checkSSCD true, if the signature is created by an SSCD, otherwise false. + * @param sscdSourceTSL true, if the SSCD information comes from the TSL, + * otherwise false. * @throws MOAApplicationException An error occurred adding the result. */ public void setResult( @@ -136,8 +138,10 @@ public class VerifyXMLSignatureResponseBuilder { XMLSignatureVerificationProfile profile, ReferencesCheckResult transformsSignatureManifestCheck, CheckResult certificateCheck, - boolean checkQCFromTSL, - boolean checkSSCDFromTSL, + boolean checkQC, + boolean qcSourceTSL, + boolean checkSSCD, + boolean sscdSourceTSL, boolean isTSLEnabledTrustprofile) throws MOAApplicationException { @@ -152,24 +156,18 @@ public class VerifyXMLSignatureResponseBuilder { boolean qualifiedCertificate = false; - // verify qualified certificate checks (certificate or TSL) - if (isTSLEnabledTrustprofile) { - // take TSL result - qualifiedCertificate = checkQCFromTSL; - } - else { - // take result from certificate - qualifiedCertificate = certResult.isQualifiedCertificate(); - } + qualifiedCertificate = checkQC; // create the SignerInfo; signerInfo = factory.createSignerInfo( (X509Certificate) certResult.getCertificateChain().get(0), qualifiedCertificate, + qcSourceTSL, certResult.isPublicAuthorityCertificate(), certResult.getPublicAuthorityID(), - checkSSCDFromTSL); + checkSSCD, + sscdSourceTSL); // Create HashInputData Content objects referenceDataList = result.getReferenceDataList(); diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index f3ac72520..c3cc8bfe8 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -24,7 +24,10 @@ package at.gv.egovernment.moa.spss.server.invoke; +import at.gv.egovernment.moa.spss.util.CertificateUtils; + import iaik.ixsil.exceptions.URIException; + import iaik.ixsil.util.URI; import iaik.server.modules.IAIKException; import iaik.server.modules.IAIKRuntimeException; @@ -208,8 +211,11 @@ public class XMLSignatureVerificationInvoker { requestElement); } - boolean checkQCFromTSL = false; - boolean checkSSCDFromTSL = false; + boolean sscdSourceTSL = false; + boolean qcSourceTSL = false; + + boolean checkQC = false; + boolean checkSSCD = false; String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId(); ConfigurationProvider config = ConfigurationProvider.getInstance(); @@ -242,7 +248,6 @@ public class XMLSignatureVerificationInvoker { if (list != null) { X509Certificate[] chain = new X509Certificate[list.size()]; - Iterator it = list.iterator(); int i = 0; while(it.hasNext()) { @@ -250,8 +255,49 @@ public class XMLSignatureVerificationInvoker { i++; } - checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); - checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + boolean checkQCFromTSL = TSLUpdaterTimerTask.tslconnector_.checkQC(chain); + boolean checkSSCDFromTSL = TSLUpdaterTimerTask.tslconnector_.checkSSCD(chain); + + if (!checkSSCDFromTSL) { + + boolean checkQCPPlus = CertificateUtils.checkQCPPlus(chain[0]); + boolean checkQcEuSSCD = CertificateUtils.checkQcEuSSCD(chain[0]); + + if (checkQCPPlus) + checkSSCD = true; + if (checkQcEuSSCD) + checkSSCD = true; + + sscdSourceTSL = false; + } + else { + checkSSCD = true; + sscdSourceTSL = true; + } + + if (!checkQCFromTSL) { + + boolean checkQCP = CertificateUtils.checkQCP(chain[0]); + boolean checkQcEuCompliance = CertificateUtils.checkQcEuCompliance(chain[0]); + + if (checkQCP) + checkQC = true; + if (checkQcEuCompliance) + checkQC = true; + + qcSourceTSL = false; + } + else { + checkQC = true; + qcSourceTSL = true; + } + +// System.out.println("chain[0]: " + chain[0]); +// +// System.out.println("checkQCFromTSL: " + checkQCFromTSL); +// System.out.println("checkSSCDFromTSL: " + checkSSCDFromTSL); +// System.out.println("checkQCPPlus: " + checkQCPPlus); +// System.out.println("checkQcEuSSCD: " + checkQcEuSSCD); } } } @@ -278,9 +324,14 @@ public class XMLSignatureVerificationInvoker { // Check if signer certificate is in trust profile's allowed signer certificates pool TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); - + +// System.out.println("checkQC: " + checkQC); +// System.out.println("qcSourceTSL: " + qcSourceTSL); +// System.out.println("checkSSCD: " + checkSSCD); +// System.out.println("sscdSourceTSL: " + sscdSourceTSL); + // build the response - responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQCFromTSL, checkSSCDFromTSL, tp.isTSLEnabled()); + responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, checkQC, qcSourceTSL, checkSSCD, sscdSourceTSL, tp.isTSLEnabled()); return responseBuilder.getResponse(); } diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java index 2e4af2817..49f715cb8 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/connector/TSLConnector.java @@ -88,23 +88,20 @@ public class TSLConnector implements TSLConnectorInterface { if (Configurator.is_isInitialised() == false) new TSLEngineFatalException("The TSL Engine is not initialized!"); - - //TODO: clean hascash and TLS Download folder - String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); - - if (hashcachedir==null) - hashcachedir = DEFAULT_HASHCACHE_DIR; - + String tsldownloaddir = Configurator.get_TSLWorkingDirectoryPath() + "TslDownload"; - File hashcachefile = new File(hashcachedir); - - - File[] filelist = hashcachefile.listFiles(); - if (filelist != null) { - for (File f : filelist) - f.delete(); - } +// String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); +// System.out.println("hashcachedir: " + hashcachedir); +// if (hashcachedir==null) +// hashcachedir = DEFAULT_HASHCACHE_DIR; + +// File hashcachefile = new File(hashcachedir); +// File[] filelist = hashcachefile.listFiles(); +// if (filelist != null) { +// for (File f : filelist) +// f.delete(); +// } File tsldownloadfile = new File(tsldownloaddir); if (!tsldownloadfile.exists()) { diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java index c365a1121..76be8217a 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/tsl/timer/TSLUpdaterTimerTask.java @@ -33,6 +33,7 @@ import at.gv.egovernment.moa.spss.server.iaik.pki.store.truststore.TrustStorePro import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.tsl.connector.TSLConnector; import at.gv.egovernment.moa.spss.util.MessageProvider; +import at.gv.egovernment.moa.util.FileUtils; import at.gv.egovernment.moa.util.StringUtils; @@ -130,7 +131,14 @@ public class TSLUpdaterTimerTask extends TimerTask { // create store updater for each TSL enabled truststore Logger.debug(new LogMsg(msg.getMessage("config.45", null))); StoreUpdater storeUpdater = new StoreUpdater(certStoreParameters, trustStoreProfiles, tid); + + // delete files in trustprofile + File ftp = new File(tp.getUri()); + File[] files = ftp.listFiles(); + for (File file : files) + file.delete(); + // convert ArrayList to X509Certificate[] X509Certificate[] addCertificates = new X509Certificate[tsl_certs.size()]; Iterator itcert = tsl_certs.iterator(); @@ -143,20 +151,18 @@ public class TSLUpdaterTimerTask extends TimerTask { i++; } - // get certificates to be removed - X509Certificate[] removeCertificates = tp.getCertficatesToBeRemoved(); - - - //Logger.debug(new LogMsg(msg.getMessage("config.44", null))); - Logger.debug(new LogMsg("Remove " + removeCertificates.length + " certificates.")); - storeUpdater.removeCertificatesFromTrustStores(removeCertificates, tid); - + // copy files from original trustAnchorsLocURI into tslworking trust profile + File src = new File(tp.getUriOrig()); + files = src.listFiles(); + for (File file : files) { + FileUtils.copyFile(file, new File(tp.getUri(), file.getName())); + } + Logger.debug(new LogMsg("Add " + addCertificates.length + " certificates.")); storeUpdater.addCertificatesToTrustStores(addCertificates, tid); + storeUpdater.addCertificatesToCertStores(addCertificates, tid); - // set the certifcates to be removed for the next TSL update - tp.setCertificatesToBeRemoved(addCertificates); } } diff --git a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties index 1a6e54089..e4ee607c0 100644 --- a/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/spss/server/serverlib/src/main/resources/resources/properties/spss_messages_de.properties @@ -158,6 +158,7 @@ config.45=Create store updater config.46=Start periodical TSL update task at {0} and then every {1} milliseconds config.48=No whitelisted URIs given. config.49=Whitelisted URI: {0}. +config.50=Fehler beim Erstellen des TSL Vertrauensprofils: Das Verzeichnis ({0}) ist kein Verzeichnis. handler.00=Starte neue Transaktion: TID={0}, Service={1} handler.01=Aufruf von Adresse={0} -- cgit v1.2.3