diff options
| author | Thomas <> | 2023-05-02 09:27:05 +0200 |
|---|---|---|
| committer | Thomas <> | 2023-05-02 09:27:05 +0200 |
| commit | dafc76624606f7d47f65006a6bf4695c3a0cd1a9 (patch) | |
| tree | 87b7cca5e6abeecf6c0109cf1407a890b53439ab | |
| parent | 25927320bb14d0acc2ab8204ff10646014c8c0c8 (diff) | |
| download | moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.tar.gz moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.tar.bz2 moa-sig-dafc76624606f7d47f65006a6bf4695c3a0cd1a9.zip | |
feat(pkix): add addition features to validate short-term certificates
25 files changed, 547 insertions, 9 deletions
diff --git a/moaSig/common/build.gradle b/moaSig/common/build.gradle index 6d90201..c4e6dab 100644 --- a/moaSig/common/build.gradle +++ b/moaSig/common/build.gradle @@ -1,5 +1,5 @@ dependencies { - implementation files('../libs/iaik_jce_full_signed-5.63_MOA.jar') + implementation files('../libs/iaik_jce_full_signed-6.01_moa.jar') api 'org.slf4j:slf4j-api:1.7.36' api 'xerces:xercesImpl:2.12.2' api 'xalan:xalan:2.7.1' diff --git a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/Constants.java b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/Constants.java index 1102975..d7dfaa1 100644 --- a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/Constants.java +++ b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/Constants.java @@ -100,7 +100,7 @@ public interface Constants { /** Local location of the MOA configuration XML schema definition. */ String MOA_CONFIG_SCHEMA_LOCATION = - SCHEMA_ROOT + "MOA-SPSS-config-3.0.0.xsd"; + SCHEMA_ROOT + "MOA-SPSS-config-3.2.0.xsd"; /** Local location of the MOA ID configuration XML schema definition. */ String MOA_ID_CONFIG_SCHEMA_LOCATION = diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd new file mode 100644 index 0000000..cb405c3 --- /dev/null +++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd @@ -0,0 +1,383 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + MOA SP/SS 1.5.1 Configuration Schema +--> +<xs:schema xmlns:config="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" elementFormDefault="qualified" attributeFormDefault="unqualified"> + <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> + <xs:element name="MOAConfiguration"> + <xs:complexType> + <xs:sequence> + <xs:element name="Common" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="HardwareCryptoModule" minOccurs="0" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="Name" type="xs:string"/> + <xs:element name="SlotId" type="xs:string" minOccurs="0"/> + <xs:element name="UserPIN" type="xs:string"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="PDFASConfig" type="xs:string" minOccurs="0" maxOccurs="1"/> + <xs:element name="AdESFormResult" type="xs:boolean" minOccurs="0" maxOccurs="1"/> + <xs:choice> + <xs:element name="PermitExternalUris" minOccurs="0"> + <xs:complexType> + <xs:sequence minOccurs="0"> + <xs:element name="BlackListUri" minOccurs="0" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="IP" type="xs:string"/> + <xs:element name="Port" type="xs:int" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="ForbidExternalUris" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="WhiteListUri" minOccurs="0" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="IP" type="xs:string"/> + <xs:element name="Port" type="xs:int" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:choice> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="SignatureCreation" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="KeyModules"> + <xs:complexType> + <xs:choice maxOccurs="unbounded"> + <xs:element name="HardwareKeyModule"> + <xs:complexType> + <xs:sequence> + <xs:element name="Id" type="xs:token"/> + <xs:element name="Name" type="xs:string"/> + <xs:element name="SlotId" type="xs:string" minOccurs="0"/> + <xs:element name="UserPIN" type="xs:string"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="SoftwareKeyModule"> + <xs:complexType> + <xs:sequence> + <xs:element name="Id" type="xs:token"/> + <xs:element name="FileName" type="xs:string"/> + <xs:element name="Password" type="xs:string" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:choice> + </xs:complexType> + </xs:element> + <xs:element name="KeyGroup" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="Id" type="xs:token"/> + <xs:sequence maxOccurs="unbounded"> + <xs:element name="Key"> + <xs:complexType> + <xs:sequence> + <xs:element name="KeyModuleId" type="xs:token"/> + <xs:element name="KeyCertIssuerSerial" type="dsig:X509IssuerSerialType"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + <xs:element name="DigestMethodAlgorithm" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="KeyGroupMapping" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="CustomerId" type="dsig:X509IssuerSerialType" minOccurs="0"/> + <xs:element name="KeyGroupId" type="xs:token" maxOccurs="unbounded"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="XMLDSig"> + <xs:complexType> + <xs:sequence> + <xs:element name="CanonicalizationAlgorithm" type="xs:anyURI" minOccurs="0"/> + <xs:element name="DigestMethodAlgorithm" type="xs:anyURI" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="CreateTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/> + <xs:element name="CreateSignatureEnvironmentProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/> + <xs:element name="XAdES" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="Version"> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="1.4.2"/> + </xs:restriction> + </xs:simpleType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="SignatureVerification" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="CertificateValidation"> + <xs:complexType> + <xs:sequence> + <xs:element name="ReadTimeout" type="xs:string" minOccurs="0" maxOccurs="1"/> + <xs:element name="PathConstruction"> + <xs:complexType> + <xs:sequence> + <xs:element name="AutoAddCertificates" type="xs:boolean"/> + <xs:element name="AutoAddEECertificates" type="xs:boolean" minOccurs="0" maxOccurs="1"/> + <xs:element name="UseAuthorityInformationAccess" type="xs:boolean"/> + <xs:element name="CertificateStore"> + <xs:complexType> + <xs:choice> + <xs:element name="DirectoryStore"> + <xs:complexType> + <xs:sequence> + <xs:element name="Location" type="xs:token"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:choice> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="PathValidation"> + <xs:complexType> + <xs:sequence> + <xs:element name="ChainingMode"> + <xs:complexType> + <xs:sequence> + <xs:element name="DefaultMode" type="config:ChainingModeType"/> + <xs:element name="TrustAnchor" minOccurs="0" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="Identification" type="dsig:X509IssuerSerialType"/> + <xs:element name="Mode" type="config:ChainingModeType"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="TrustProfile" minOccurs="0" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="Id" type="xs:token"/> + <xs:element name="TrustAnchorsLocation" type="xs:anyURI"/> + <xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/> + <xs:element name="EUTSL" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="CountrySelection" type="xs:string" minOccurs="0" maxOccurs="1"/> + <xs:element name="AllowedTSPStatus" type="xs:string" minOccurs="0" maxOccurs="1"/> + <xs:element name="AllowedTSPServiceTypes" type="xs:string" minOccurs="0" maxOccurs="1"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <!-- + <xs:element name="TSLTrustProfile"> + <xs:complexType> + <xs:sequence> + <xs:element name="Id" type="xs:token"/> + <xs:element name="TrustAnchorsLocation" type="xs:anyURI"/> + <xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/> + <xs:element name="EUTSL" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="CountrySelection" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + --> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="RevocationChecking"> + <xs:complexType> + <xs:sequence> + <xs:element name="EnableChecking" type="xs:boolean"/> + <xs:element name="MaxRevocationAge" type="xs:integer"/> + <xs:element name="ServiceOrder" minOccurs="0"> + <xs:complexType> + <xs:sequence maxOccurs="2"> + <xs:element name="Service"> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="OCSP"/> + <xs:enumeration value="CRL"/> + </xs:restriction> + </xs:simpleType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="Archiving"> + <xs:complexType> + <xs:sequence> + <xs:element name="EnableArchiving" type="xs:boolean"/> + <xs:element name="ArchiveDuration" type="xs:nonNegativeInteger" minOccurs="0"/> + <xs:element name="Archive" minOccurs="0"> + <xs:complexType> + <xs:choice> + <xs:element name="DatabaseArchive"> + <xs:complexType> + <xs:sequence> + <xs:element name="JDBCURL" type="xs:anyURI"/> + <xs:element name="JDBCDriverClassName" type="xs:token"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:choice> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="DistributionPoint" minOccurs="0" maxOccurs="unbounded"> + <xs:complexType> + <xs:sequence> + <xs:element name="CAIssuerDN" type="xs:token"/> + <xs:choice maxOccurs="unbounded"> + <xs:element name="CRLDP"> + <xs:complexType> + <xs:sequence> + <xs:element name="Location" type="xs:anyURI"/> + <xs:element name="ReasonCode" minOccurs="0" maxOccurs="unbounded"> + <xs:simpleType> + <xs:restriction base="xs:token"> + <xs:enumeration value="unused"/> + <xs:enumeration value="keyCompromise"/> + <xs:enumeration value="cACompromise"/> + <xs:enumeration value="affiliationChanged"/> + <xs:enumeration value="superseded"/> + <xs:enumeration value="cessationOfOperation"/> + <xs:enumeration value="certificateHold"/> + <xs:enumeration value="privilegeWithdrawn"/> + <xs:enumeration value="aACompromise"/> + </xs:restriction> + </xs:simpleType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="OCSPDP"> + <xs:complexType> + <xs:sequence> + <xs:element name="Location" type="xs:anyURI"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:choice> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="CrlRetentionIntervals" minOccurs="0"> + <xs:complexType> + <xs:sequence maxOccurs="unbounded"> + <xs:element name="CA"> + <xs:complexType> + <xs:sequence> + <xs:element name="X509IssuerName" type="xs:string"/> + <xs:element name="Interval" type="xs:integer"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="ShortTermedCertificates" minOccurs="0" maxOccurs="1"> + <xs:complexType> + <xs:sequence maxOccurs="unbounded"> + <xs:element name="CA"> + <xs:complexType> + <xs:sequence> + <xs:element name="X509IssuerName" type="xs:string"/> + <xs:element name="ValidityPeriod" type="xs:integer"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + <xs:attribute name="defaultValidityPeriod" type="xs:integer" /> + <xs:attribute name="checkETSIValidityAssuredExtension" type="xs:boolean" /> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="TSLConfiguration" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="EUTSLUrl" type="xs:anyURI" minOccurs="0"/> + <xs:element name="UpdateSchedule" minOccurs="0"> + <xs:complexType> + <xs:sequence> + <xs:element name="StartTime" type="xs:time"/> + <xs:element name="Period" type="xs:unsignedLong"/> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="WorkingDirectory" type="xs:anyURI" minOccurs="0"/> + <xs:element name="Evaluation" minOccurs="1" maxOccurs="1"> + <xs:complexType> + <xs:sequence> + <xs:element name="QCQualifier" type="xs:string" minOccurs="1" maxOccurs="1"/> + <xs:element name="SSCDQualifier" type="xs:string" minOccurs="1" maxOccurs="1"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:element name="VerifyTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/> + <xs:element name="SupplementProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/> + <xs:element name="PermitFileURIs" type="xs:boolean" default="false" minOccurs="0"/> + </xs:sequence> + </xs:complexType> + </xs:element> + </xs:sequence> + </xs:complexType> + </xs:element> + <xs:simpleType name="ChainingModeType"> + <xs:restriction base="xs:string"> + <xs:enumeration value="chaining"/> + <xs:enumeration value="pkix"/> + </xs:restriction> + </xs:simpleType> + <xs:complexType name="ProfileType"> + <xs:sequence> + <xs:element name="Id" type="xs:token"/> + <xs:element name="Location" type="xs:anyURI"/> + </xs:sequence> + </xs:complexType> +</xs:schema> diff --git a/moaSig/libs/cpxlevel.jar b/moaSig/libs/cpxlevel.jar Binary files differdeleted file mode 100644 index a00eeb4..0000000 --- a/moaSig/libs/cpxlevel.jar +++ /dev/null diff --git a/moaSig/libs/iaik_cms-6.0_moa.jar b/moaSig/libs/iaik_cms-6.0_moa.jar Binary files differnew file mode 100644 index 0000000..f11b250 --- /dev/null +++ b/moaSig/libs/iaik_cms-6.0_moa.jar diff --git a/moaSig/libs/iaik_cms.jar b/moaSig/libs/iaik_cms.jar Binary files differdeleted file mode 100644 index 127160d..0000000 --- a/moaSig/libs/iaik_cms.jar +++ /dev/null diff --git a/moaSig/libs/iaik_cpades-2.4_MOA.jar b/moaSig/libs/iaik_cpades-2.4_moa.jar Binary files differindex 300c215..300c215 100644 --- a/moaSig/libs/iaik_cpades-2.4_MOA.jar +++ b/moaSig/libs/iaik_cpades-2.4_moa.jar diff --git a/moaSig/libs/iaik_cpxlevel-0.9.1_moa.jar b/moaSig/libs/iaik_cpxlevel-0.9.1_moa.jar Binary files differnew file mode 100644 index 0000000..0bbbf6e --- /dev/null +++ b/moaSig/libs/iaik_cpxlevel-0.9.1_moa.jar diff --git a/moaSig/libs/iaik_eccelerate-6.02.jar b/moaSig/libs/iaik_eccelerate-6.02.jar Binary files differdeleted file mode 100644 index e30b629..0000000 --- a/moaSig/libs/iaik_eccelerate-6.02.jar +++ /dev/null diff --git a/moaSig/libs/iaik_eccelerate-6.3.0_eval.jar b/moaSig/libs/iaik_eccelerate-6.3.0_eval.jar Binary files differnew file mode 100644 index 0000000..4422430 --- /dev/null +++ b/moaSig/libs/iaik_eccelerate-6.3.0_eval.jar diff --git a/moaSig/libs/iaik_eccelerate_addon-6.02.jar b/moaSig/libs/iaik_eccelerate_addon-6.02.jar Binary files differdeleted file mode 100644 index 94f2de5..0000000 --- a/moaSig/libs/iaik_eccelerate_addon-6.02.jar +++ /dev/null diff --git a/moaSig/libs/iaik_eccelerate_addon-6.3.0_eval.jar b/moaSig/libs/iaik_eccelerate_addon-6.3.0_eval.jar Binary files differnew file mode 100644 index 0000000..182a150 --- /dev/null +++ b/moaSig/libs/iaik_eccelerate_addon-6.3.0_eval.jar diff --git a/moaSig/libs/iaik_eccelerate_cms-6.02.jar b/moaSig/libs/iaik_eccelerate_cms-6.02.jar Binary files differdeleted file mode 100644 index 32d7aec..0000000 --- a/moaSig/libs/iaik_eccelerate_cms-6.02.jar +++ /dev/null diff --git a/moaSig/libs/iaik_jce_full_signed-5.63_MOA.jar b/moaSig/libs/iaik_jce_full_signed-6.01_moa.jar Binary files differindex cf4a2dd..bde418f 100644 --- a/moaSig/libs/iaik_jce_full_signed-5.63_MOA.jar +++ b/moaSig/libs/iaik_jce_full_signed-6.01_moa.jar diff --git a/moaSig/libs/iaik_moa-2.08.jar b/moaSig/libs/iaik_moa-2.09.jar Binary files differindex 16a3529..a73a348 100644 --- a/moaSig/libs/iaik_moa-2.08.jar +++ b/moaSig/libs/iaik_moa-2.09.jar diff --git a/moaSig/libs/iaik_pki_module-2.02_moa.jar b/moaSig/libs/iaik_pki_module-2.03_moa.jar Binary files differindex b7979e5..a017fe6 100644 --- a/moaSig/libs/iaik_pki_module-2.02_moa.jar +++ b/moaSig/libs/iaik_pki_module-2.03_moa.jar diff --git a/moaSig/libs/iaik_sva-1.2.0.jar b/moaSig/libs/iaik_sva-1.2.0.jar Binary files differnew file mode 100644 index 0000000..a9d3824 --- /dev/null +++ b/moaSig/libs/iaik_sva-1.2.0.jar diff --git a/moaSig/libs/iaik_tsp.jar b/moaSig/libs/iaik_tsp-2.32_eval.jar Binary files differindex fbd9abd..fbd9abd 100644 --- a/moaSig/libs/iaik_tsp.jar +++ b/moaSig/libs/iaik_tsp-2.32_eval.jar diff --git a/moaSig/libs/iaik_xsect-2.14_MOA.jar b/moaSig/libs/iaik_xsect-2.14_moa.jar Binary files differindex aa3c229..aa3c229 100644 --- a/moaSig/libs/iaik_xsect-2.14_MOA.jar +++ b/moaSig/libs/iaik_xsect-2.14_moa.jar diff --git a/moaSig/libs/sigval-0.0.1.jar b/moaSig/libs/sigval-0.0.1.jar Binary files differdeleted file mode 100644 index efbbbaa..0000000 --- a/moaSig/libs/sigval-0.0.1.jar +++ /dev/null diff --git a/moaSig/libs/sigvallib-0.0.1.jar b/moaSig/libs/sigvallib-0.0.1.jar Binary files differdeleted file mode 100644 index 16b9d78..0000000 --- a/moaSig/libs/sigvallib-0.0.1.jar +++ /dev/null diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 5daf1a6..5f8b46d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -94,6 +94,9 @@ public class ConfigurationPartsBuilder { private static final String CM_CHAINING = "chaining"; private static final String CM_PKIX = "pkix"; + private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0; + private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true; + // // XPath expressions to select certain parts of the configuration // @@ -205,6 +208,17 @@ public class ConfigurationPartsBuilder { + CONF + "RevocationChecking/" + CONF + "CrlRetentionIntervals/" + CONF + "CA"; + + private static final String SHORT_TIME_CERTS_INTERVALS_XPATH = + ROOT + CONF + "SignatureVerification/" + + CONF + "CertificateValidation/" + + CONF + "RevocationChecking/" + + CONF + "ShortTermedCertificates"; + + private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH = + SHORT_TIME_CERTS_INTERVALS_XPATH + "/" + + CONF + "CA"; + private static final String ENABLE_REVOCATION_CHECKING_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -1718,17 +1732,84 @@ public class ConfigurationPartsBuilder { final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null); final String i = getElementValue(modElem, CONF + "Interval", null); final Integer interval = new Integer(i); - try { - final RFC2253NameParser parser = new RFC2253NameParser(x509IssuerName); - final Name name = parser.parse(); - map.put(name.getRFC2253String(), interval); - } catch (final RFC2253NameParserException e) { - map.put(x509IssuerName, interval); - } + map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval); } return map; } + + /** + * Should ETSI extension should be used for short-time certificate validation. + * + * @return <code>true</code> if it is used + */ + public boolean isShotTimeCertEtsiExtCheck() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SHORT_TIME_CERTS_INTERVALS_XPATH); + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); + Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); + return value; + + } + + return SHORT_TIME_CERT_DEFAULT_ETSI; + } + + /** + * Get default shortTime certificate interval. + * + * @return Time in minutes + */ + public int getShotTimeCertDefaultInterval() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SHORT_TIME_CERTS_INTERVALS_XPATH); + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + String defaultString = modElem.getAttribute("defaultValidityPeriod"); + Logger.debug("Set default shortTimePeriodInterval to: " + defaultString); + return Integer.valueOf(defaultString); + + } + + return SHORT_TIME_CERT_DEFAULT_INTERVAL; + } + + + /** + * Returns a map of shortTime certificate intervals. + * + * <p> + * No revocation checks are performed during this interval. + * </p> + * + * @return + */ + public Map<String, Integer> getShotTimeCertIntervals() { + final Map map = new HashMap(); + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SHORT_TIME_CERTS_INTERVALS_CA_XPATH); + + Element modElem; + while ((modElem = (Element) modIter.nextNode()) != null) { + final String x509IssuerName = ConfigurationProvider.normalizeX500Names( + getElementValue(modElem, CONF + "X509IssuerName", null)); + final String i = getElementValue(modElem, CONF + "ValidityPeriod", null); + final Integer interval = new Integer(i); + map.put(x509IssuerName, interval); + Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); + + } + + return map; + } + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 4596109..85930b2 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -258,6 +258,12 @@ public class ConfigurationProvider { */ private Map crlRetentionIntervals; + + private boolean useShortTimeCertificateEtisExt; + private int defaultShortTimeCertificatePeriod; + private Map<String, Integer> shortTimeCertificatePeriods; + + /** * Indicates wether external URIs are allowed or not */ @@ -416,6 +422,10 @@ public class ConfigurationProvider { permitFileURIs = builder.getPermitFileURIs(); crlRetentionIntervals = builder.getCrlRetentionIntervals(); + shortTimeCertificatePeriods = builder.getShotTimeCertIntervals(); + defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval(); + useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck(); + allowExternalUris_ = builder.allowExternalUris(); if (allowExternalUris_) { @@ -998,5 +1008,33 @@ public class ConfigurationProvider { public TSLConfiguration getTSLConfiguration() { return tslconfiguration_; } + + public int getDefaultShortTimeCertificatePeriod() { + return defaultShortTimeCertificatePeriod; + } + + public boolean isUseShortTimeCertificateEtisExt() { + return useShortTimeCertificateEtisExt; + } + + public Map<String, Integer> getShortTimeCertificatePeriods() { + return shortTimeCertificatePeriods; + } + + + public static final String normalizeX500Names(String x500Name) { + try { + final RFC2253NameParser parser = new RFC2253NameParser(x500Name); + final Name name = parser.parse(); + return name.getRFC2253String(); + + } catch (final RFC2253NameParserException e) { + Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is"); + return x500Name; + + } + + } + }
\ No newline at end of file diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java index 6aa20cf..002df3b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/RevocationConfigurationImpl.java @@ -30,8 +30,11 @@ import java.util.Map; import java.util.Set; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moaspss.logging.Logger; +import iaik.asn1.structures.Name; import iaik.pki.revocation.RevocationConfiguration; import iaik.pki.revocation.dbcrl.config.DBCrlConfig; +import iaik.utils.RFC2253NameParserException; /** * An implementation of the <code>RevocationConfiguration</code> interface using @@ -111,4 +114,31 @@ public class RevocationConfigurationImpl extends AbstractObservableConfiguration return false; } + @Override + public boolean checkETSIValidityAssuredShortTermExt() { + return config.isUseShortTimeCertificateEtisExt(); + + } + + @Override + public Long getShortTermedValidityPeriod(X509Certificate eeCert) { + try { + String issuer = ConfigurationProvider.normalizeX500Names(((Name)eeCert.getIssuerDN()).getRFC2253String()); + if (config.getShortTimeCertificatePeriods().containsKey(issuer)) { + Integer interval = config.getShortTimeCertificatePeriods().get(issuer); + Logger.debug("Use shortTermedValidityPeriod: " + interval + "[min] for Issuer: " + issuer); + return Long.valueOf(interval) * 60 * 1000; + + } + + } catch (RFC2253NameParserException e) { + Logger.warn("Can not normalize X509 IssuerName: " + eeCert.getIssuerDN(), e); + + } + + Logger.debug("Use default shortTermedValidityPeriod: " + config.getDefaultShortTimeCertificatePeriod() + "[min]"); + return Long.valueOf(config.getDefaultShortTimeCertificatePeriod()) * 60 * 1000; + + } + } diff --git a/release-infos/handbook/conf/moa-spss/spss.config.xml b/release-infos/handbook/conf/moa-spss/spss.config.xml index 222546b..e1d61a6 100644 --- a/release-infos/handbook/conf/moa-spss/spss.config.xml +++ b/release-infos/handbook/conf/moa-spss/spss.config.xml @@ -214,6 +214,12 @@ <cfg:Interval>12775</cfg:Interval> </cfg:CA> </cfg:CrlRetentionIntervals> + <cfg:ShortTermedCertificates defaultValidityPeriod="0" checkETSIValidityAssuredExtension="true"> + <cfg:CA> + <cfg:X509IssuerName>ORG_ID=VATAT-U64741248,OU=Digital Certificate Services,CN=Swisscom Diamant EU CA 4.1,O=Swisscom IT Services Finance S.E.,C=AT</cfg:X509IssuerName> + <cfg:ValidityPeriod>15</cfg:ValidityPeriod> + </cfg:CA> + </cfg:ShortTermedCertificates> </cfg:RevocationChecking> </cfg:CertificateValidation> <cfg:PermitFileURIs>false</cfg:PermitFileURIs> |