diff options
| author | Thomas Lenz <thomas.lenz@a-sit.at> | 2025-09-25 06:29:19 +0000 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@a-sit.at> | 2025-09-25 06:29:19 +0000 |
| commit | 32d859478da3c8368213ba398b70b8ee39861f03 (patch) | |
| tree | 6190080e24df905ad07295b2f241f61c5cb77c94 /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config | |
| parent | f332d5a3b6bbe0650f0f8485a1e92d4b2fe5dbf4 (diff) | |
| parent | 71c6b41accf6786cd790fd931c909f119979b2c6 (diff) | |
| download | moa-sig-master.tar.gz moa-sig-master.tar.bz2 moa-sig-master.zip | |
Nightlybuild
See merge request egiz/moa-sig!3
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config')
4 files changed, 117 insertions, 26 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java index bf11240..0f1a57d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java @@ -50,18 +50,19 @@ public class CRLDistributionPoint extends DistributionPoint implements // create the mapping between reason code strings and their integer // values - RC_MAPPING.put("unused", new Integer(iaik.asn1.structures.DistributionPoint.unused)); - RC_MAPPING.put("keyCompromise", new Integer(iaik.asn1.structures.DistributionPoint.keyCompromise)); - RC_MAPPING.put("cACompromise", new Integer(iaik.asn1.structures.DistributionPoint.cACompromise)); - RC_MAPPING.put("affiliationChanged", new Integer( + RC_MAPPING.put("unused", Integer.valueOf(iaik.asn1.structures.DistributionPoint.unused)); + RC_MAPPING.put("keyCompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.keyCompromise)); + RC_MAPPING.put("cACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.cACompromise)); + RC_MAPPING.put("affiliationChanged", Integer.valueOf( iaik.asn1.structures.DistributionPoint.affiliationChanged)); - RC_MAPPING.put("superseded", new Integer(iaik.asn1.structures.DistributionPoint.superseded)); + RC_MAPPING.put("superseded", Integer.valueOf(iaik.asn1.structures.DistributionPoint.superseded)); RC_MAPPING.put("cessationOfOperation", - new Integer(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); - RC_MAPPING.put("certificateHold", new Integer(iaik.asn1.structures.DistributionPoint.certificateHold)); - RC_MAPPING.put("privilegeWithdrawn", new Integer( + Integer.valueOf(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); + RC_MAPPING.put("certificateHold", Integer.valueOf( + iaik.asn1.structures.DistributionPoint.certificateHold)); + RC_MAPPING.put("privilegeWithdrawn", Integer.valueOf( iaik.asn1.structures.DistributionPoint.privilegeWithdrawn)); - RC_MAPPING.put("aACompromise", new Integer(iaik.asn1.structures.DistributionPoint.aACompromise)); + RC_MAPPING.put("aACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.aACompromise)); } /** @@ -76,12 +77,12 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Create a <code>CRLDistributionPoint</code>. - * + * * @param issuerName The name of the CA issuing the CRL referred to by this * DP. - * + * * @param uri The URI of the distribution point. - * + * * @param reasonCodeStr A list of reason codes (a space-separated enumeration). */ public CRLDistributionPoint(String issuerName, String uri, String reasonCodeStr) { @@ -101,7 +102,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Convert a list of reason codes provided as a <code>String</code> to a binary * representation. - * + * * @param reasonCodeStr A <code>String</code> containing a blank-separated, * textual representation of reason codes. * @return int A binary representation of reason codes. @@ -143,7 +144,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a binary representation of the reason codes of this distribution * point. - * + * * @return The binary representation of the reason codes. */ @Override @@ -153,7 +154,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a <code>String</code> representation of this distribution point. - * + * * @return The <code>String</code> representation of this distribution point. * @see java.lang.Object#toString() */ @@ -163,7 +164,7 @@ public class CRLDistributionPoint extends DistributionPoint implements } /** - * @see iaik.pki.revocation.CRLDistributionPoint#getIssuerName() + * Get CRL issuer-name. */ public String getIssuerName() { return issuerName_; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 75da0a6..09ec921 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -154,6 +154,11 @@ public class ConfigurationPartsBuilder { private static final String KEYGROUP_MAPPING_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "KeyGroupMapping"; + + private static final String SIGN_PARAMS_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "Signing"; + private static final String ISSUER_XPATH = DSIG + "X509IssuerName"; private static final String SERIAL_XPATH = @@ -576,7 +581,7 @@ public class ConfigurationPartsBuilder { entry = new BlackListEntry(host, -1); info("config.34", new Object[] { host }); } else { - entry = new BlackListEntry(host, new Integer(port).intValue()); + entry = new BlackListEntry(host, Integer.valueOf(port).intValue()); info("config.34", new Object[] { host + ":" + port }); } @@ -626,7 +631,7 @@ public class ConfigurationPartsBuilder { entry = new WhiteListEntry(host, -1); info("config.49", new Object[] { host }); } else { - entry = new WhiteListEntry(host, new Integer(port).intValue()); + entry = new WhiteListEntry(host, Integer.valueOf(port).intValue()); info("config.49", new Object[] { host + ":" + port }); } @@ -759,9 +764,22 @@ public class ConfigurationPartsBuilder { final String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); - final Set keyGroupEntries = - buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); + final Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); + + String rsaSsaPssAttr = keyGroupElem.getAttribute("RSASSA-PSS"); + Boolean useRsaSsaPss = null; + if (org.apache.commons.lang3.StringUtils.isNotEmpty(rsaSsaPssAttr)) { + useRsaSsaPss = Boolean.valueOf(keyGroupElem.getAttribute("RSASSA-PSS")); + Logger.info((useRsaSsaPss ? "Enable" : "Disable") + + " RSASSA-PSS as primary signature-algorithm for keyGroup: " + keyGroupId); + + } else { + Logger.debug("RSASSA-PSS is not defined for keyGroup: " + keyGroupId); + + } + + final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, + keyGroupDigestMethodAlgorithm, useRsaSsaPss); if (keyGroups.containsKey(keyGroupId)) { warn("config.04", new Object[] { "KeyGroup", keyGroupId }); @@ -1504,7 +1522,7 @@ public class ConfigurationPartsBuilder { * Returns the JDBC URL for the revocation archive database. * * @return the JDBC URL for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCURL() { @@ -1516,7 +1534,7 @@ public class ConfigurationPartsBuilder { * Returns the JDBC driver class name for the revocation archive database. * * @return the JDBC driver class name for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCDriverClass() { @@ -1762,7 +1780,7 @@ public class ConfigurationPartsBuilder { while ((modElem = (Element) modIter.nextNode()) != null) { final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null); final String i = getElementValue(modElem, CONF + "Interval", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval); } @@ -1770,6 +1788,33 @@ public class ConfigurationPartsBuilder { return map; } + /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * <p> + * <b>Default: </b> <code>true</code> + * </p> + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isRsaSsaPssEnabled() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SIGN_PARAMS_XPATH); + + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("RSASSA-PSS")); + Logger.debug((value ? "Enable" : "Disable") + " RSASSA-PSS as primary signature-algorithm for RSA"); + return value; + + } else { + Logger.debug("Enable RSASSA-PSS as primary signature-algorithm for RSA"); + return true; + + } + } /** * Should ETSI extension should be used for short-time certificate validation. @@ -1792,6 +1837,7 @@ public class ConfigurationPartsBuilder { return SHORT_TIME_CERT_DEFAULT_ETSI; } + /** * Get default shortTime certificate interval. * @@ -1834,7 +1880,7 @@ public class ConfigurationPartsBuilder { final String x509IssuerName = ConfigurationProvider.normalizeX500Names( getElementValue(modElem, CONF + "X509IssuerName", null)); final String i = getElementValue(modElem, CONF + "ValidityPeriod", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(x509IssuerName, interval); Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 3c720a1..6856e56 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -103,6 +103,9 @@ public class ConfigurationProvider { /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; + /** The default of use RSASSA-PSS if supported */ + private boolean useRsaSsaPss; + /** The XAdES version used for signature creation */ private String xadesVersion; @@ -375,6 +378,8 @@ public class ConfigurationProvider { // check TSL configuration checkTSLConfiguration(); + useRsaSsaPss = builder.isRsaSsaPssEnabled(); + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -556,6 +561,15 @@ public class ConfigurationProvider { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isUseRsaSsaPss() { + return useRsaSsaPss; + } + + /** * Return the XAdES version used for signature creation. * * @return The XAdES version used for signature creation, or an empty diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index faeaf82..fc374ab 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -42,6 +42,9 @@ public class KeyGroup { /** The digest method algorithm for the key group */ private final String digestMethodAlgorithm; + /** Use RSASSA-PSS if supported */ + private final Boolean useRsaSsaPss; + /** * Create a <code>KeyGroup</code>. * @@ -51,9 +54,25 @@ public class KeyGroup { * @param digestMethodAlgorithm The signature algorithm used for this key group */ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { + this(id, keyGroupEntries, digestMethodAlgorithm, true); + + } + + /** + * Create a <code>KeyGroup</code>. + * + * @param id The ID of this <code>KeyGroup</code>. + * @param keyGroupEntries The keys belonging to this + * <code>KeyGroup</code>. + * @param useRsaSsaPss Use RSASSA-PSS if available and supported + * @param digestMethodAlgorithm The signature algorithm used for this key group + */ + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm, Boolean useRsaSsaPss) { this.id = id; this.keyGroupEntries = keyGroupEntries; this.digestMethodAlgorithm = digestMethodAlgorithm; + this.useRsaSsaPss = useRsaSsaPss; + } /** @@ -84,6 +103,17 @@ public class KeyGroup { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, <code>false</code> if + * it is disabled, or <code>null</code> if it is undefined + */ + public Boolean isUseRsaSsaPass() { + return useRsaSsaPss; + + } + + /** * Return a <code>String</code> representation of this <code>KeyGroup</code>. * * @return The <code>String</code> representation. @@ -102,7 +132,7 @@ public class KeyGroup { } } return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " - + digestMethodAlgorithm; + + digestMethodAlgorithm + useRsaSsaPss != null ? ("RSASSA-PSS: " + useRsaSsaPss) : ""; } } |