diff options
| author | Thomas Lenz <thomas.lenz@a-sit.at> | 2025-09-25 06:29:19 +0000 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@a-sit.at> | 2025-09-25 06:29:19 +0000 |
| commit | 32d859478da3c8368213ba398b70b8ee39861f03 (patch) | |
| tree | 6190080e24df905ad07295b2f241f61c5cb77c94 /moaSig/moa-sig-lib/src/main/java/at | |
| parent | f332d5a3b6bbe0650f0f8485a1e92d4b2fe5dbf4 (diff) | |
| parent | 71c6b41accf6786cd790fd931c909f119979b2c6 (diff) | |
| download | moa-sig-master.tar.gz moa-sig-master.tar.bz2 moa-sig-master.zip | |
Nightlybuild
See merge request egiz/moa-sig!3
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at')
27 files changed, 397 insertions, 197 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index d0be7d5..5d378ce 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -316,7 +316,7 @@ public abstract class SPSSFactory { * @param profileID The profile ID to resolve during signature creation. * @return The <code>CreateSignatureEnvironmentProfile</code> containing the * given profile ID. - * + * * @pre profileID != null && profileID.length() > 0 * @post return != null */ @@ -398,8 +398,7 @@ public abstract class SPSSFactory { /** * Create a new <code>SignatureEnvironmentResponse</code> object. * - * @param signatureEnvironment The signature environment containing the - * signature. + * @param base64value Signature as Base64 encoded data * @return The <code>SignatureEnvironmentResponse</code> containing the * <code>signatureEnvironment</code>. * @@ -959,15 +958,15 @@ public abstract class SPSSFactory { /** * Create a new <code>Content</code> object containing location reference data. - * + * * @param locationReferenceURI a URI pointing to the actual remote location of * the content. - * + * * @param referenceURI An URI identifying the data. May be * <code>null</code>. - * + * * @return The <code>Content</code> object containing the data. - * + * * @pre locationReferenceURI != null * @post return != null */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java index 3d5279f..ab73c22 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java @@ -32,7 +32,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation; /** * Default implementation of - * <codeCreateSignatureEnvironmentProfileExplicit</code>. + * <code>CreateSignatureEnvironmentProfileExplicit</code>. * * @author Patrick Peck * @version $Id$ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java index d1eebca..ed6f449 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java @@ -30,7 +30,7 @@ import java.util.List; import at.gv.egovernment.moa.spss.api.xmlverify.ReferenceInfo; /** - * Default implementation of <codeReferenceInfo</code>. + * Default implementation of <code>ReferenceInfo</code>. * * @author Fatemeh Philippi * @version $Id$ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java index 173ecbf..571977e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java @@ -62,7 +62,7 @@ public class RequestParserUtils { /** * Parse a <code>XMLDataObjectAssociationType</code> kind of DOM element. - * + * * @param assocElem The <code>XMLDataObjectAssociationType</code> kind of DOM * elmeent to parse. * @return The <code>XMLDataObjectAssociation</code> API object containing the @@ -79,7 +79,7 @@ public class RequestParserUtils { /** * Parse a <code>MetaInfoType</code> kind of DOM element. - * + * * @param metaInfoElem The <code>MetaInfoType</code> kind of DOM element. * @return The <code>MetaInfo</code> API object containing the data from the * <code>metaInfoElem</code>. @@ -97,7 +97,7 @@ public class RequestParserUtils { /** * Parse a <code>ContentOptionalRefType</code> or * <code>ContentRequiredRefType</code> kind of DOM element. - * + * * @param contentParentElem The DOM element being the parent of the content * element. * @return The <code>Content</code> API object containing the data from the @@ -127,7 +127,7 @@ public class RequestParserUtils { /** * Get the signing time from a Verfiy(CMS|XML)SignatureRequest. - * + * * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> DOM * element. * @param dateTimeXPath The XPath to lookup the <code>DateTime</code> element @@ -162,11 +162,12 @@ public class RequestParserUtils { /** * Get the signing time from a Verfiy(CMS|XML)SignatureRequest. - * - * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> DOM - * element. - * @param dateTimeXPath The XPath to lookup the <code>DateTime</code> element - * within the request. + * + * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> + * DOM element. + * @param extendedValidationXPath The XPath to lookup the <code>DateTime</code> + * element within the request. + * @param defaultValue Default value if XPath value is null or empty * @return Date The date and time corresponding to the <code>DateTime</code> * element in the request. If no <code>DateTime</code> element exists in * the request, <code>null</code> is returned. diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index 1156aa1..daf3802 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -499,7 +499,7 @@ public class ResponseBuilderUtils { * element. * @param elementName The name of the newly created element. * @param code The content of the <code>Code</code> subelement. - * @param info The content of the <code>Info</code> subelement. + * @param name The content of the <code>Info</code> subelement. */ public static void addFormCheckElement( Document response, diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java index bcab978..1279d73 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java @@ -171,7 +171,7 @@ public class VerifyCMSSignatureRequestParser { // put the signatories into a List while (tokenizer.hasMoreTokens()) { try { - signatoriesList.add(new Integer(tokenizer.nextToken())); + signatoriesList.add(Integer.valueOf(tokenizer.nextToken())); } catch (final NumberFormatException e) { // this cannot occur if the request has been validated } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java index bf11240..0f1a57d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java @@ -50,18 +50,19 @@ public class CRLDistributionPoint extends DistributionPoint implements // create the mapping between reason code strings and their integer // values - RC_MAPPING.put("unused", new Integer(iaik.asn1.structures.DistributionPoint.unused)); - RC_MAPPING.put("keyCompromise", new Integer(iaik.asn1.structures.DistributionPoint.keyCompromise)); - RC_MAPPING.put("cACompromise", new Integer(iaik.asn1.structures.DistributionPoint.cACompromise)); - RC_MAPPING.put("affiliationChanged", new Integer( + RC_MAPPING.put("unused", Integer.valueOf(iaik.asn1.structures.DistributionPoint.unused)); + RC_MAPPING.put("keyCompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.keyCompromise)); + RC_MAPPING.put("cACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.cACompromise)); + RC_MAPPING.put("affiliationChanged", Integer.valueOf( iaik.asn1.structures.DistributionPoint.affiliationChanged)); - RC_MAPPING.put("superseded", new Integer(iaik.asn1.structures.DistributionPoint.superseded)); + RC_MAPPING.put("superseded", Integer.valueOf(iaik.asn1.structures.DistributionPoint.superseded)); RC_MAPPING.put("cessationOfOperation", - new Integer(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); - RC_MAPPING.put("certificateHold", new Integer(iaik.asn1.structures.DistributionPoint.certificateHold)); - RC_MAPPING.put("privilegeWithdrawn", new Integer( + Integer.valueOf(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); + RC_MAPPING.put("certificateHold", Integer.valueOf( + iaik.asn1.structures.DistributionPoint.certificateHold)); + RC_MAPPING.put("privilegeWithdrawn", Integer.valueOf( iaik.asn1.structures.DistributionPoint.privilegeWithdrawn)); - RC_MAPPING.put("aACompromise", new Integer(iaik.asn1.structures.DistributionPoint.aACompromise)); + RC_MAPPING.put("aACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.aACompromise)); } /** @@ -76,12 +77,12 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Create a <code>CRLDistributionPoint</code>. - * + * * @param issuerName The name of the CA issuing the CRL referred to by this * DP. - * + * * @param uri The URI of the distribution point. - * + * * @param reasonCodeStr A list of reason codes (a space-separated enumeration). */ public CRLDistributionPoint(String issuerName, String uri, String reasonCodeStr) { @@ -101,7 +102,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Convert a list of reason codes provided as a <code>String</code> to a binary * representation. - * + * * @param reasonCodeStr A <code>String</code> containing a blank-separated, * textual representation of reason codes. * @return int A binary representation of reason codes. @@ -143,7 +144,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a binary representation of the reason codes of this distribution * point. - * + * * @return The binary representation of the reason codes. */ @Override @@ -153,7 +154,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a <code>String</code> representation of this distribution point. - * + * * @return The <code>String</code> representation of this distribution point. * @see java.lang.Object#toString() */ @@ -163,7 +164,7 @@ public class CRLDistributionPoint extends DistributionPoint implements } /** - * @see iaik.pki.revocation.CRLDistributionPoint#getIssuerName() + * Get CRL issuer-name. */ public String getIssuerName() { return issuerName_; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 75da0a6..09ec921 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -154,6 +154,11 @@ public class ConfigurationPartsBuilder { private static final String KEYGROUP_MAPPING_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "KeyGroupMapping"; + + private static final String SIGN_PARAMS_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "Signing"; + private static final String ISSUER_XPATH = DSIG + "X509IssuerName"; private static final String SERIAL_XPATH = @@ -576,7 +581,7 @@ public class ConfigurationPartsBuilder { entry = new BlackListEntry(host, -1); info("config.34", new Object[] { host }); } else { - entry = new BlackListEntry(host, new Integer(port).intValue()); + entry = new BlackListEntry(host, Integer.valueOf(port).intValue()); info("config.34", new Object[] { host + ":" + port }); } @@ -626,7 +631,7 @@ public class ConfigurationPartsBuilder { entry = new WhiteListEntry(host, -1); info("config.49", new Object[] { host }); } else { - entry = new WhiteListEntry(host, new Integer(port).intValue()); + entry = new WhiteListEntry(host, Integer.valueOf(port).intValue()); info("config.49", new Object[] { host + ":" + port }); } @@ -759,9 +764,22 @@ public class ConfigurationPartsBuilder { final String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); - final Set keyGroupEntries = - buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); + final Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); + + String rsaSsaPssAttr = keyGroupElem.getAttribute("RSASSA-PSS"); + Boolean useRsaSsaPss = null; + if (org.apache.commons.lang3.StringUtils.isNotEmpty(rsaSsaPssAttr)) { + useRsaSsaPss = Boolean.valueOf(keyGroupElem.getAttribute("RSASSA-PSS")); + Logger.info((useRsaSsaPss ? "Enable" : "Disable") + + " RSASSA-PSS as primary signature-algorithm for keyGroup: " + keyGroupId); + + } else { + Logger.debug("RSASSA-PSS is not defined for keyGroup: " + keyGroupId); + + } + + final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, + keyGroupDigestMethodAlgorithm, useRsaSsaPss); if (keyGroups.containsKey(keyGroupId)) { warn("config.04", new Object[] { "KeyGroup", keyGroupId }); @@ -1504,7 +1522,7 @@ public class ConfigurationPartsBuilder { * Returns the JDBC URL for the revocation archive database. * * @return the JDBC URL for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCURL() { @@ -1516,7 +1534,7 @@ public class ConfigurationPartsBuilder { * Returns the JDBC driver class name for the revocation archive database. * * @return the JDBC driver class name for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCDriverClass() { @@ -1762,7 +1780,7 @@ public class ConfigurationPartsBuilder { while ((modElem = (Element) modIter.nextNode()) != null) { final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null); final String i = getElementValue(modElem, CONF + "Interval", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval); } @@ -1770,6 +1788,33 @@ public class ConfigurationPartsBuilder { return map; } + /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * <p> + * <b>Default: </b> <code>true</code> + * </p> + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isRsaSsaPssEnabled() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SIGN_PARAMS_XPATH); + + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("RSASSA-PSS")); + Logger.debug((value ? "Enable" : "Disable") + " RSASSA-PSS as primary signature-algorithm for RSA"); + return value; + + } else { + Logger.debug("Enable RSASSA-PSS as primary signature-algorithm for RSA"); + return true; + + } + } /** * Should ETSI extension should be used for short-time certificate validation. @@ -1792,6 +1837,7 @@ public class ConfigurationPartsBuilder { return SHORT_TIME_CERT_DEFAULT_ETSI; } + /** * Get default shortTime certificate interval. * @@ -1834,7 +1880,7 @@ public class ConfigurationPartsBuilder { final String x509IssuerName = ConfigurationProvider.normalizeX500Names( getElementValue(modElem, CONF + "X509IssuerName", null)); final String i = getElementValue(modElem, CONF + "ValidityPeriod", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(x509IssuerName, interval); Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 3c720a1..6856e56 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -103,6 +103,9 @@ public class ConfigurationProvider { /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; + /** The default of use RSASSA-PSS if supported */ + private boolean useRsaSsaPss; + /** The XAdES version used for signature creation */ private String xadesVersion; @@ -375,6 +378,8 @@ public class ConfigurationProvider { // check TSL configuration checkTSLConfiguration(); + useRsaSsaPss = builder.isRsaSsaPssEnabled(); + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -556,6 +561,15 @@ public class ConfigurationProvider { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isUseRsaSsaPss() { + return useRsaSsaPss; + } + + /** * Return the XAdES version used for signature creation. * * @return The XAdES version used for signature creation, or an empty diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index faeaf82..fc374ab 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -42,6 +42,9 @@ public class KeyGroup { /** The digest method algorithm for the key group */ private final String digestMethodAlgorithm; + /** Use RSASSA-PSS if supported */ + private final Boolean useRsaSsaPss; + /** * Create a <code>KeyGroup</code>. * @@ -51,9 +54,25 @@ public class KeyGroup { * @param digestMethodAlgorithm The signature algorithm used for this key group */ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { + this(id, keyGroupEntries, digestMethodAlgorithm, true); + + } + + /** + * Create a <code>KeyGroup</code>. + * + * @param id The ID of this <code>KeyGroup</code>. + * @param keyGroupEntries The keys belonging to this + * <code>KeyGroup</code>. + * @param useRsaSsaPss Use RSASSA-PSS if available and supported + * @param digestMethodAlgorithm The signature algorithm used for this key group + */ + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm, Boolean useRsaSsaPss) { this.id = id; this.keyGroupEntries = keyGroupEntries; this.digestMethodAlgorithm = digestMethodAlgorithm; + this.useRsaSsaPss = useRsaSsaPss; + } /** @@ -84,6 +103,17 @@ public class KeyGroup { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, <code>false</code> if + * it is disabled, or <code>null</code> if it is undefined + */ + public Boolean isUseRsaSsaPass() { + return useRsaSsaPss; + + } + + /** * Return a <code>String</code> representation of this <code>KeyGroup</code>. * * @return The <code>String</code> representation. @@ -102,7 +132,7 @@ public class KeyGroup { } } return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " - + digestMethodAlgorithm; + + digestMethodAlgorithm + useRsaSsaPss != null ? ("RSASSA-PSS: " + useRsaSsaPss) : ""; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java index d660c7a..e5b6025 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.cmssign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -63,15 +65,36 @@ public class CMSSignatureCreationProfileImpl /** Digest Method algorithm */ private String digestMethod; private final boolean isPAdESConform; + private final boolean rsaSsaPss; + + public CMSSignatureCreationProfileImpl( + Set keySet, + String digestMethod, + List signedProperties, + boolean securityLayerConform, + boolean includeData, + String mimeType, + boolean isPAdESConform) { + this(keySet, digestMethod, signedProperties, securityLayerConform, includeData, mimeType, + isPAdESConform, true); + + } /** - * Create a new <code>XMLSignatureCreationProfileImpl</code>. + * Creates a CMS based signature-creation profile. * - * @param createProfileCount Provides external information about the number of - * calls to the signature creation module, using the - * same request. - * @param reservedIDs The set of IDs that must not be used while - * generating new IDs. + * @param keySet Set of signing keys + * @param digestMethod Hash algorithm + * @param signedProperties List of signing properties + * @param securityLayerConform If <code>true</code> create a CAdES-B signature, + * otherwise CMS signature + * @param includeData If <code>true</code> create an embedded + * signature, otherwise a detached + * @param mimeType MimeType to be set + * @param isPAdESConform If <code>true</code> signature fulfill PAdES + * requirements + * @param rsaSsaPss If <code>true</code> use RSASSA-PSS algorithms, + * otherwise RSA#1.5 */ public CMSSignatureCreationProfileImpl( Set keySet, @@ -80,7 +103,8 @@ public class CMSSignatureCreationProfileImpl boolean securityLayerConform, boolean includeData, String mimeType, - boolean isPAdESConform) { + boolean isPAdESConform, + boolean rsaSsaPss) { this.keySet = keySet; this.signedProperties = signedProperties; this.securityLayerConform = securityLayerConform; @@ -88,6 +112,7 @@ public class CMSSignatureCreationProfileImpl this.mimeType = mimeType; this.digestMethod = digestMethod; this.isPAdESConform = isPAdESConform; + this.rsaSsaPss = rsaSsaPss; } @@ -131,11 +156,70 @@ public class CMSSignatureCreationProfileImpl null); } + final String selectedSigAlg = selectBestSigAlg(algorithms, selectedKeyID); + Logger.trace("Selecting SigAlg: " + selectedSigAlg); + return selectedSigAlg; + + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + @Override + public List getSignedProperties() { + return signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + @Override + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature is to + * be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + public void setDigestMethod(String digestMethod) { + this.digestMethod = digestMethod; + } + + @Override + public String getMimeType() { + return mimeType; + } + + @Override + public boolean includeData() { + return this.includeData; + } + + @Override + public boolean isPAdESConform() { + return this.isPAdESConform; + } + + private String selectBestSigAlg(Set algorithms, KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + Logger.trace("Key: " + selectedKeyID + " supports signingAlgs: " + StringUtils.join(algorithms, ",")); + + // TODO: maybe add support for parameterized RSASSA-PSS + if (digestMethod.compareTo("SHA-1") == 0) { Logger.warn( "SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); - if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { @@ -152,7 +236,11 @@ public class CMSSignatureCreationProfileImpl } } else if (digestMethod.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -168,7 +256,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -184,7 +275,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { @@ -205,52 +299,6 @@ public class CMSSignatureCreationProfileImpl null, null); } - - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() - */ - @Override - public List getSignedProperties() { - return signedProperties; - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() - */ - @Override - public boolean isSecurityLayerConform() { - return securityLayerConform; - } - - /** - * Sets the security layer conformity. - * - * @param securityLayerConform <code>true</code>, if the created signature is to - * be conform to the Security Layer specification. - */ - public void setSecurityLayerConform(boolean securityLayerConform) { - this.securityLayerConform = securityLayerConform; - } - - public void setDigestMethod(String digestMethod) { - this.digestMethod = digestMethod; - } - - @Override - public String getMimeType() { - return mimeType; - } - - @Override - public boolean includeData() { - return this.includeData; - } - - @Override - public boolean isPAdESConform() { - return this.isPAdESConform; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java index d1b776b..befeab7 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java @@ -43,7 +43,6 @@ import iaik.pki.store.revocation.RevocationStoreException; * A customized implementation of * {@link iaik.pki.store.revocation.RevocationInfoRetriever}. Will be used * instead of the default implementation - * {@link iaik.pki.store.revocation.CRLRetriever} to overcome a classloader * problem in connection with the {@link java.net.URL} class in a Tomcat * deployment environment. * diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java index 22cceeb..0e12f89 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java @@ -28,7 +28,6 @@ import iaik.pki.store.revocation.archive.DataBaseArchiveParameters; /** * An implementation of the <code>DataBaseArchiveParameter</code> interface. * - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter * @author Patrick Peck * @version $Id$ */ @@ -46,9 +45,6 @@ public class DataBaseArchiveParameterImpl implements DataBaseArchiveParameters { this.jDBCUrl = jDBCUrl; } - /** - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter#getJDBCUrl() - */ @Override public String getJDBCUrl() { return jDBCUrl; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java index 9ef3764..7a036ec 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java @@ -60,10 +60,9 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { /** * Create a new <code>TrustStoreProfileImpl</code>. * - * @param config The MOA configuration data, from which trust store - * configuration data is read. - * @param trustProfileId The trust profile id on which this - * <code>TrustStoreProfile</code> is based. + * @param trustProfileId The trust profile id on which this + * <code>TrustStoreProfile</code> is based. + * @param trustProfileUri File path to trust profile * @throws MOAApplicationException The <code>trustProfileId</code> could not be * found in the MOA configuration. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 516e3d8..b0fea7f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -76,6 +78,7 @@ public class XMLSignatureCreationProfileImpl private final IdGenerator propertyIDGenerator; /** The selected digest method algorithm if XAdES 1.4.2 is used */ private final String digestMethodXAdES142; + private final boolean rsaSsaPss; /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. @@ -85,11 +88,12 @@ public class XMLSignatureCreationProfileImpl * same request. * @param reservedIDs The set of IDs that must not be used while * generating new IDs. + * @param useRsaSsaPss Use RSASSA-PSS if supported */ public XMLSignatureCreationProfileImpl( int createProfileCount, Set reservedIDs, - String digestMethodXAdES142) { + String digestMethodXAdES142, boolean useRsaSsaPss) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -99,6 +103,8 @@ public class XMLSignatureCreationProfileImpl propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); this.digestMethodXAdES142 = digestMethodXAdES142; + this.rsaSsaPss = useRsaSsaPss; + } /** @@ -159,6 +165,14 @@ public class XMLSignatureCreationProfileImpl @Override public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + String sigAlgIdentifier = getInternalSignatureAlgorithmName(selectedKeyID); + Logger.debug("Selected SignatureAlgorithmIdentifier: " + sigAlgIdentifier); + return sigAlgIdentifier; + + } + + private String getInternalSignatureAlgorithmName(KeyEntryID selectedKeyID) + throws AlgorithmUnavailableException { final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); @@ -174,21 +188,35 @@ public class XMLSignatureCreationProfileImpl e, null); } + Logger.trace("RSASSA-PSS: " + rsaSsaPss + " XAdESDigistAlg: " + digestMethodXAdES142 + + " Algorithms: " + StringUtils.join(algorithms, ",")); + // TODO: maybe add support for parameterized RSASSA-PSS if (digestMethodXAdES142 == null) { // XAdES 1.4.2 not enabled - legacy MOA - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + if (rsaSsaPss + && (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1))) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + + return SignatureAlgorithms.SHA256_WITH_RSA; - return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { return SignatureAlgorithms.ECDSA; + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { return SignatureAlgorithms.DSA; + } else { throw new AlgorithmUnavailableException( "No algorithm for key entry: " + selectedKeyID, @@ -219,7 +247,10 @@ public class XMLSignatureCreationProfileImpl } } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -235,7 +266,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -251,7 +285,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java index 5624f45..4ae1866 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -221,6 +221,7 @@ public class CMSSignatureCreationInvoker { // get digest algorithm final String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + final boolean useRsaSsaPss = isRsaSsaPssActive(config, keyGroupID); // create CMSSignatureCreation profile: final CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( @@ -230,7 +231,8 @@ public class CMSSignatureCreationInvoker { isSecurityLayerConform, includeData, mimetype, - isPAdESConformRequired); + isPAdESConformRequired, + useRsaSsaPss); // create CMSSignature from the CMSSignatureCreationModule // build the additionalSignedProperties @@ -344,13 +346,23 @@ public class CMSSignatureCreationInvoker { } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { // get digest method on key group level (if configured) final String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) final String configDigestMethod = config.getDigestMethodAlgorithmName(); + String digestMethod = null; if (configDigestMethodKG != null) { // if KG specific digest method is configured diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 1a0791b..7aca40e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -86,7 +86,7 @@ public class CMSSignatureVerificationInvoker { /** * Return the only instance of this class. - * + * * @return The only instance of this class. */ public static synchronized CMSSignatureVerificationInvoker getInstance() { @@ -98,7 +98,7 @@ public class CMSSignatureVerificationInvoker { /** * Create a new <code>CMSSignatureVerificationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected CMSSignatureVerificationInvoker() { @@ -106,7 +106,7 @@ public class CMSSignatureVerificationInvoker { /** * Verify a CMS signature. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the CMS * signature, as well as additional data needed for verification. * @return Element A <code>VerifyCMSSignatureResponse</code> containing the @@ -118,7 +118,7 @@ public class CMSSignatureVerificationInvoker { final CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory( request); - final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); + final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); final LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); InputStream signature; @@ -219,7 +219,7 @@ public class CMSSignatureVerificationInvoker { } } - final QCSSCDResult qcsscdresult = new QCSSCDResult(); + final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); // build the response: for each signatory add the result to the response signatories = request.getSignatories(); @@ -248,7 +248,7 @@ public class CMSSignatureVerificationInvoker { handlePDFResult(resultObject, responseBuilder, trustProfile); } } catch (final IndexOutOfBoundsException e) { - throw new MOAApplicationException("2249", new Object[] { new Integer(sigIndex) }); + throw new MOAApplicationException("2249", new Object[] { Integer.valueOf(sigIndex) }); } } } @@ -402,8 +402,8 @@ public class CMSSignatureVerificationInvoker { i++; } - qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile - .isTSLEnabled(), ConfigurationProvider.getInstance()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), + trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); // get signer certificate issuer country code issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); @@ -419,7 +419,7 @@ public class CMSSignatureVerificationInvoker { /** * Get the signed content contained either in the request itself or given as a * reference to external data. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the * signed content (or the reference to the signed content). * @return InputStream A stream providing the signed content data, or diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java index bc5d884..bca9b8e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java @@ -69,12 +69,12 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>SignatureEnvironment</code> element to the response. * - * @param signatureEnvironment The content to put under the - * <code>SignatureEnvironment</code> element. This - * should either be a <code>dsig:Signature</code> - * element (in case of a detached signature) or the - * signature environment containing the signature - * (in case of an enveloping signature). + * @param base64value The content to put under the + * <code>SignatureEnvironment</code> element. This should + * either be a <code>dsig:Signature</code> element (in case + * of a detached signature) or the signature environment + * containing the signature (in case of an enveloping + * signature). */ public void addCMSSignature(String base64value) { final CMSSignatureResponse responseElement = @@ -84,7 +84,7 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>ErrorResponse</code> element to the response. - * + * * @param errorCode The error code. * @param info Additional information about the error. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 813d28e..79b4c29 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -74,15 +74,26 @@ public class VerifyCMSSignatureResponseBuilder { /** * Add a verification result to the response. * - * @param result The result to add. - * @param trustprofile The actual trustprofile - * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the - * certificate as qualified, otherwise <code>false</code>. - * @param checkSSCD <code>true</code>, if the TSL check verifies the - * signature based on a SSDC, otherwise - * <code>false</code>. - * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from - * the TSL, otherwise <code>false</code>. + * @param result The result to add. + * @param trustProfile The actual trustprofile + * @param checkQC <code>true</code>, if the TSL check + * verifies the certificate as qualified, + * otherwise <code>false</code>. + * @param qcSourceTSL <true> if QC info comes from the TSL, + * otherwise <code>false</code>. + * @param checkSSCD <code>true</code>, if the TSL check + * verifies the signature based on a SSDC, + * otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD + * information comes from the TSL, + * otherwise <code>false</code>. + * @param issuerCountryCode TSL issuer country + * @param adesResults Form validation results + * @param extendedCertificateCheckResult Extended validation results + * @param tslInfos Full TSL validation result + * @param extendedVerification <code>true</code> if extended + * validation was used, otherwise + * <code>false</code> * @throws MOAException */ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, @@ -150,7 +161,7 @@ public class VerifyCMSSignatureResponseBuilder { } /** - * + * * @param result * @param trustProfile * @param checkQC diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 7e882ed..25ce8d1 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -515,7 +515,7 @@ public class VerifyXMLSignatureResponseBuilder { try { if (refInfo.isHashCalculated() && !refInfo.isHashValid()) { - failedReferencesList.add(new Integer(i + 1)); + failedReferencesList.add(Integer.valueOf(i + 1)); } } catch (final HashUnavailableException e) { // nothing to do here because we called refInfo.isHashCalculated first diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index c097b0c..46c4983 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -191,8 +191,10 @@ public class XMLSignatureCreationProfileFactory { } } + final XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142, + isRsaSsaPssActive(config, keyGroupID)); // build the transformation supplements createTransformsProfiles = @@ -260,6 +262,21 @@ public class XMLSignatureCreationProfileFactory { return profile; } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + + Logger.trace("Config using RSASSA-PSS. KeyStore: " + + useRsaSsaPssKg != null + ? useRsaSsaPssKg + : "NOT-DEFINED" + + " Default: " + config); + + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + /** * Get the <code>List</code> of all <code>CreateTransformsInfoProfile</code>s * contained in all the <code>DataObjectInfo</code>s of the given diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index b97cc95..0fb2d82 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -110,34 +110,27 @@ import iaik.xml.crypto.utils.URIException; public class XMLSignatureVerificationInvoker { /** The single instance of this class. */ - private static XMLSignatureVerificationInvoker instance = null; + private static final XMLSignatureVerificationInvoker INSTANCE = new XMLSignatureVerificationInvoker(); - private static Set FILTERED_REF_TYPES; - - static { - FILTERED_REF_TYPES = new HashSet(); - FILTERED_REF_TYPES.add(DsigManifest.XML_DSIG_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD); - FILTERED_REF_TYPES.add(XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties"); - FILTERED_REF_TYPES.add("http://uri.etsi.org/01903#SignedProperties"); - } + private static final Set<String> FILTERED_REF_TYPES = Set.of( + DsigManifest.XML_DSIG_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD, + XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties", + "http://uri.etsi.org/01903#SignedProperties"); /** * Get the single instance of this class. - * + * * @return The single instance of this class. */ - public static synchronized XMLSignatureVerificationInvoker getInstance() { - if (instance == null) { - instance = new XMLSignatureVerificationInvoker(); - } - return instance; + public static XMLSignatureVerificationInvoker getInstance() { + return INSTANCE; } /** * Create a new <code>XMLSignatureCreationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected XMLSignatureVerificationInvoker() { @@ -146,8 +139,8 @@ public class XMLSignatureVerificationInvoker { /** * Process the <code>VerifyXMLSignatureRequest<code> message and invoke the * <code>XMLSignatureVerificationModule</code>. - * - * @param request A <code>VerifyXMLSignatureRequest<code> API object + * + * @param request A <code>VerifyXMLSignatureRequest<code> API object * containing the data for verifying an XML signature. * @return A <code>VerifyXMLSignatureResponse</code> containing the answert * to the <code>VerifyXMLSignatureRequest</code>. MOA schema @@ -307,16 +300,16 @@ public class XMLSignatureVerificationInvoker { /** * Checks if the signer certificate matches one of the allowed signer * certificates specified in the provided <code>trustProfile</code>. - * + * * @param result The result produced by the * <code>XMLSignatureVerificationModule</code>. - * + * * @param trustProfile The trust profile the signer certificate is validated * against. - * + * * @return The overal result of the certificate validation for the signer * certificate. - * + * * @throws MOAException if one of the signer certificates specified in the * <code>trustProfile</code> cannot be read from the file * system. @@ -392,7 +385,7 @@ public class XMLSignatureVerificationInvoker { /** * Select the <code>dsig:Signature</code> DOM element within the signature * environment. - * + * * @param signatureEnvironment The signature environment containing the * <code>dsig:Signature</code>. * @param request The <code>VerifyXMLSignatureRequest</code> @@ -425,7 +418,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the supplemental data objects contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param supplements A <code>List</code> of * <code>XMLDataObjectAssociation</code>s containing the * supplement data. @@ -458,7 +451,7 @@ public class XMLSignatureVerificationInvoker { /** * Get the supplemental data contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * supplemental data. * @return A <code>List</code> of <code>XMLDataObjectAssociation</code> objects @@ -490,7 +483,7 @@ public class XMLSignatureVerificationInvoker { /** * Perform additional validations of the * <code>XMLSignatureVerificationResult</code>. - * + * * <p> * In particular, it is verified that: * <ul> @@ -500,7 +493,7 @@ public class XMLSignatureVerificationInvoker { * <li>The hash values of the <code>TransformParameter</code>s are valid.</li> * </ul> * </p> - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * signature to verify. * @param result The result produced by @@ -546,7 +539,7 @@ public class XMLSignatureVerificationInvoker { } if (!found) { - final Integer refIndex = new Integer(refData.getReferenceIndex()); + final Integer refIndex = Integer.valueOf(refData.getReferenceIndex()); final String logMsg = msg.getMessage("invoker.01", new Object[] { refIndex }); failedReferencesList.add(refIndex); @@ -588,8 +581,8 @@ public class XMLSignatureVerificationInvoker { final int[] failedReferences = new int[] { ref.getReferenceIndex() }; final ReferencesCheckResultInfo checkInfo = factory.createReferencesCheckResultInfo(null, failedReferences); - final String logMsg = msg.getMessage("invoker.02", new Object[] { new Integer(ref - .getReferenceIndex()) }); + final String logMsg = msg.getMessage("invoker.02", new Object[] { + Integer.valueOf(ref.getReferenceIndex()) }); Logger.debug(new LogMsg(logMsg)); @@ -605,7 +598,7 @@ public class XMLSignatureVerificationInvoker { * Get all <code>Transform</code>s contained in all the * <code>VerifyTransformsInfoProfile</code>s of the given * <code>ReferenceInfo</code>. - * + * * @param refInfo The <code>ReferenceInfo</code> object containing the * transformations. * @return A <code>List</code> of <code>List</code>s. Each of the @@ -637,7 +630,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the <code>Set</code> of all <code>TransformParameter</code> URIs. - * + * * @param transformParameters The <code>List</code> of * <code>TransformParameter</code>s, as provided to * the verification. @@ -658,7 +651,7 @@ public class XMLSignatureVerificationInvoker { /** * Build a mapping between <code>TransformParameter</code> URIs (a * <code>String</code> and <code>dsig:HashValue</code> (a <code>byte[]</code>). - * + * * @param request The <code>VerifyXMLSignatureRequest</code>. * @return Map The resulting mapping. * @throws MOAApplicationException An error occurred accessing one of the @@ -703,7 +696,7 @@ public class XMLSignatureVerificationInvoker { * Filter the <code>ReferenceInfo</code>s returned by the * <code>VerifyXMLSignatureResult</code> for comparison with the * <code>ReferenceInfo</code> elements in the request. - * + * * @param referenceInfos The <code>ReferenceInfo</code>s from the * <code>VerifyXMLSignatureResult</code>. * @return A <code>List</code> of all <code>ReferenceInfo</code>s whose type is diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java index 335bf68..a60590d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.spss.server.transaction; -import javax.activation.DataSource; +import jakarta.activation.DataSource; public interface DeleteableDataSource extends DataSource { void delete(); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java index 5746657..06326a0 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java @@ -33,14 +33,13 @@ import java.util.Iterator; import java.util.Map.Entry; import java.util.Vector; -import javax.activation.DataSource; - import org.w3c.dom.Element; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moaspss.logging.Logger; import iaik.xml.crypto.utils.URI; +import jakarta.activation.DataSource; /** * Contains information about the current request. @@ -310,7 +309,7 @@ public class TransactionContext { } // not available in Axis 1.0 to 1.1 // File f = mmds.getDiskCacheFile(); -// if (f!=null) f.delete(); +// if (f!=null) f.delete(); if (mmds instanceof DeleteableDataSource) { ((DeleteableDataSource) mmds).delete(); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java index 8e37b1c..8dd2a8b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java @@ -21,8 +21,8 @@ import iaik.server.modules.resultcodes.ResultCodeValid; public class AdESResultUtils { - private static final int MAJORRESULTCODESKIPPED = new Integer(3); - private static final int MAJORRESULTCODEERROR = new Integer(4); + private static final int MAJORRESULTCODESKIPPED = Integer.valueOf(3); + private static final int MAJORRESULTCODEERROR = Integer.valueOf(4); public static Integer getResultCode(Integer adesCode) { return adesCode; @@ -114,9 +114,9 @@ public class AdESResultUtils { minorInfo = "UNKNOWN_SUBFILTER"; } else if (resultCode.getCode().equals(ResultCode.CODE_NO_SIGNER_CERTIFICATE_FOUND)) { minorInfo = "NO_SIGNER_CERTIFICATE_FOUND"; - - - + + + // pdf-as 3.x detection is removed from MOA-SP since 3.1.2 } else if (resultCode.getCode().equals(ResultCode.PDF_AS_SIGNATURE)) { // minorInfo = "PDF_AS_SIGNATURE"; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java index b7580ac..35dca16 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -204,7 +204,6 @@ public class CertificateUtils { // QC evaluation flags boolean qc = false; boolean qcSourceTSL = false; - boolean qcDisallowedFromTSL = false; // SSCD/QSCD evaluation flags boolean sscd = false; @@ -254,7 +253,6 @@ public class CertificateUtils { TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) { qc = false; qcSourceTSL = false; - qcDisallowedFromTSL = true; Logger.info("TSL mark this certificate explicitly as 'NotQualified'!"); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index be40a9e..221c361 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -47,7 +47,7 @@ public class ExternalURIVerifier { }
} else {
// check host and port
- final int iport = new Integer(bport).intValue();
+ final int iport = Integer.valueOf(bport).intValue();
if (ip.startsWith(bhost) && iport == port) {
Logger.debug(new LogMsg("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port
+ " blacklisted"));
@@ -75,7 +75,7 @@ public class ExternalURIVerifier { }
} else {
// check host and port
- final int iport = new Integer(bport).intValue();
+ final int iport = Integer.valueOf(bport).intValue();
if (ip.startsWith(bhost) && iport == port) {
Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port
+ " whitelisted"));
|