Merge branch 'nightlybuild' into 'master'HEAD 3.3.0 master

Nightlybuild See merge request egiz/moa-sig!3
author: Thomas Lenz <thomas.lenz@a-sit.at> 2025-09-25 06:29:19 +0000
committer: Thomas Lenz <thomas.lenz@a-sit.at> 2025-09-25 06:29:19 +0000
commit: 32d859478da3c8368213ba398b70b8ee39861f03 (patch)
tree: 6190080e24df905ad07295b2f241f61c5cb77c94 /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik
parent: f332d5a3b6bbe0650f0f8485a1e92d4b2fe5dbf4 (diff)
parent: 71c6b41accf6786cd790fd931c909f119979b2c6 (diff)
download: moa-sig-master.tar.gz
moa-sig-master.tar.bz2
moa-sig-master.zip
5 files changed, 152 insertions, 73 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java
index d660c7a..e5b6025 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java
@@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.cmssign;
 import java.util.List;
 import java.util.Set;
 
+import org.apache.commons.lang3.StringUtils;
+
 import at.gv.egovernment.moa.spss.server.logging.TransactionId;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
@@ -63,15 +65,36 @@ public class CMSSignatureCreationProfileImpl
   /** Digest Method algorithm */
   private String digestMethod;
   private final boolean isPAdESConform;
+  private final boolean rsaSsaPss;
+
+  public CMSSignatureCreationProfileImpl(
+      Set keySet,
+      String digestMethod,
+      List signedProperties,
+      boolean securityLayerConform,
+      boolean includeData,
+      String mimeType,
+      boolean isPAdESConform) {
+    this(keySet, digestMethod, signedProperties, securityLayerConform, includeData, mimeType,
+        isPAdESConform, true);
+
+  }
 
   /**
-   * Create a new <code>XMLSignatureCreationProfileImpl</code>.
+   * Creates a CMS based signature-creation profile.
    *
-   * @param createProfileCount Provides external information about the number of
-   *                           calls to the signature creation module, using the
-   *                           same request.
-   * @param reservedIDs        The set of IDs that must not be used while
-   *                           generating new IDs.
+   * @param keySet               Set of signing keys
+   * @param digestMethod         Hash algorithm
+   * @param signedProperties     List of signing properties
+   * @param securityLayerConform If <code>true</code> create a CAdES-B signature,
+   *                             otherwise CMS signature
+   * @param includeData          If <code>true</code> create an embedded
+   *                             signature, otherwise a detached
+   * @param mimeType             MimeType to be set
+   * @param isPAdESConform       If <code>true</code> signature fulfill PAdES
+   *                             requirements
+   * @param rsaSsaPss            If <code>true</code> use RSASSA-PSS algorithms,
+   *                             otherwise RSA#1.5
    */
   public CMSSignatureCreationProfileImpl(
       Set keySet,
@@ -80,7 +103,8 @@ public class CMSSignatureCreationProfileImpl
       boolean securityLayerConform,
       boolean includeData,
       String mimeType,
-      boolean isPAdESConform) {
+      boolean isPAdESConform,
+      boolean rsaSsaPss) {
     this.keySet = keySet;
     this.signedProperties = signedProperties;
     this.securityLayerConform = securityLayerConform;
@@ -88,6 +112,7 @@ public class CMSSignatureCreationProfileImpl
     this.mimeType = mimeType;
     this.digestMethod = digestMethod;
     this.isPAdESConform = isPAdESConform;
+    this.rsaSsaPss = rsaSsaPss;
 
   }
 
@@ -131,11 +156,70 @@ public class CMSSignatureCreationProfileImpl
           null);
     }
 
+    final String selectedSigAlg = selectBestSigAlg(algorithms, selectedKeyID);
+    Logger.trace("Selecting SigAlg: " + selectedSigAlg);
+    return selectedSigAlg;
+
+  }
+
+  /**
+   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties()
+   */
+  @Override
+  public List getSignedProperties() {
+    return signedProperties;
+  }
+
+  /**
+   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform()
+   */
+  @Override
+  public boolean isSecurityLayerConform() {
+    return securityLayerConform;
+  }
+
+  /**
+   * Sets the security layer conformity.
+   *
+   * @param securityLayerConform <code>true</code>, if the created signature is to
+   *                             be conform to the Security Layer specification.
+   */
+  public void setSecurityLayerConform(boolean securityLayerConform) {
+    this.securityLayerConform = securityLayerConform;
+  }
+
+  public void setDigestMethod(String digestMethod) {
+    this.digestMethod = digestMethod;
+  }
+
+  @Override
+  public String getMimeType() {
+    return mimeType;
+  }
+
+  @Override
+  public boolean includeData() {
+    return this.includeData;
+  }
+
+  @Override
+  public boolean isPAdESConform() {
+    return this.isPAdESConform;
+  }
+
+  private String selectBestSigAlg(Set algorithms, KeyEntryID selectedKeyID) throws AlgorithmUnavailableException {
+    Logger.trace("Key: " + selectedKeyID + " supports signingAlgs: " + StringUtils.join(algorithms, ","));
+
+    // TODO: maybe add support for parameterized RSASSA-PSS
+
     if (digestMethod.compareTo("SHA-1") == 0) {
       Logger.warn(
           "SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)");
 
-      if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) {
+      if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1)) {
+        return SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1;
+
+      } else if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) {
         return SignatureAlgorithms.SHA1_WITH_RSA;
 
       } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) {
@@ -152,7 +236,11 @@ public class CMSSignatureCreationProfileImpl
       }
 
     } else if (digestMethod.compareTo("SHA-256") == 0) {
-      if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+      if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) {
+
+        return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1;
+
+      } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
         return SignatureAlgorithms.SHA256_WITH_RSA;
 
       } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) {
@@ -168,7 +256,10 @@ public class CMSSignatureCreationProfileImpl
             null);
       }
     } else if (digestMethod.compareTo("SHA-384") == 0) {
-      if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
+      if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) {
+        return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1;
+
+      } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
         return SignatureAlgorithms.SHA384_WITH_RSA;
 
       } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) {
@@ -184,7 +275,10 @@ public class CMSSignatureCreationProfileImpl
             null);
       }
     } else if (digestMethod.compareTo("SHA-512") == 0) {
-      if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
+      if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) {
+        return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1;
+
+      } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
         return SignatureAlgorithms.SHA512_WITH_RSA;
 
       } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) {
@@ -205,52 +299,6 @@ public class CMSSignatureCreationProfileImpl
           null,
           null);
     }
-
-  }
-
-  /**
-   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties()
-   */
-  @Override
-  public List getSignedProperties() {
-    return signedProperties;
-  }
-
-  /**
-   * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform()
-   */
-  @Override
-  public boolean isSecurityLayerConform() {
-    return securityLayerConform;
-  }
-
-  /**
-   * Sets the security layer conformity.
-   *
-   * @param securityLayerConform <code>true</code>, if the created signature is to
-   *                             be conform to the Security Layer specification.
-   */
-  public void setSecurityLayerConform(boolean securityLayerConform) {
-    this.securityLayerConform = securityLayerConform;
-  }
-
-  public void setDigestMethod(String digestMethod) {
-    this.digestMethod = digestMethod;
-  }
-
-  @Override
-  public String getMimeType() {
-    return mimeType;
-  }
-
-  @Override
-  public boolean includeData() {
-    return this.includeData;
-  }
-
-  @Override
-  public boolean isPAdESConform() {
-    return this.isPAdESConform;
   }
 
 }
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java
index d1b776b..befeab7 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java
@@ -43,7 +43,6 @@ import iaik.pki.store.revocation.RevocationStoreException;
  * A customized implementation of
  * {@link iaik.pki.store.revocation.RevocationInfoRetriever}. Will be used
  * instead of the default implementation
- * {@link iaik.pki.store.revocation.CRLRetriever} to overcome a classloader
  * problem in connection with the {@link java.net.URL} class in a Tomcat
  * deployment environment.
  *
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java
index 22cceeb..0e12f89 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java
@@ -28,7 +28,6 @@ import iaik.pki.store.revocation.archive.DataBaseArchiveParameters;
 /**
  * An implementation of the <code>DataBaseArchiveParameter</code> interface.
  *
- * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter
  * @author Patrick Peck
  * @version $Id$
  */
@@ -46,9 +45,6 @@ public class DataBaseArchiveParameterImpl implements DataBaseArchiveParameters {
     this.jDBCUrl = jDBCUrl;
   }
 
-  /**
-   * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter#getJDBCUrl()
-   */
   @Override
   public String getJDBCUrl() {
     return jDBCUrl;
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java
index 9ef3764..7a036ec 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java
@@ -60,10 +60,9 @@ public class TrustStoreProfileImpl implements TrustStoreProfile {
   /**
    * Create a new <code>TrustStoreProfileImpl</code>.
    *
-   * @param config         The MOA configuration data, from which trust store
-   *                       configuration data is read.
-   * @param trustProfileId The trust profile id on which this
-   *                       <code>TrustStoreProfile</code> is based.
+   * @param trustProfileId  The trust profile id on which this
+   *                        <code>TrustStoreProfile</code> is based.
+   * @param trustProfileUri File path to trust profile
    * @throws MOAApplicationException The <code>trustProfileId</code> could not be
    *                                 found in the MOA configuration.
    */
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
index 516e3d8..b0fea7f 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java
@@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign;
 import java.util.List;
 import java.util.Set;
 
+import org.apache.commons.lang3.StringUtils;
+
 import at.gv.egovernment.moa.spss.server.logging.TransactionId;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
 import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
@@ -76,6 +78,7 @@ public class XMLSignatureCreationProfileImpl
   private final IdGenerator propertyIDGenerator;
   /** The selected digest method algorithm if XAdES 1.4.2 is used */
   private final String digestMethodXAdES142;
+  private final boolean rsaSsaPss;
 
   /**
    * Create a new <code>XMLSignatureCreationProfileImpl</code>.
@@ -85,11 +88,12 @@ public class XMLSignatureCreationProfileImpl
    *                           same request.
    * @param reservedIDs        The set of IDs that must not be used while
    *                           generating new IDs.
+   * @param useRsaSsaPss       Use RSASSA-PSS if supported
    */
   public XMLSignatureCreationProfileImpl(
       int createProfileCount,
       Set reservedIDs,
-      String digestMethodXAdES142) {
+      String digestMethodXAdES142, boolean useRsaSsaPss) {
     signatureIDGenerator =
         new IdGenerator("signature-" + createProfileCount, reservedIDs);
     manifestIDGenerator =
@@ -99,6 +103,8 @@ public class XMLSignatureCreationProfileImpl
     propertyIDGenerator =
         new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs);
     this.digestMethodXAdES142 = digestMethodXAdES142;
+    this.rsaSsaPss = useRsaSsaPss;
+
   }
 
   /**
@@ -159,6 +165,14 @@ public class XMLSignatureCreationProfileImpl
   @Override
   public String getSignatureAlgorithmName(KeyEntryID selectedKeyID)
       throws AlgorithmUnavailableException {
+    String sigAlgIdentifier = getInternalSignatureAlgorithmName(selectedKeyID);
+    Logger.debug("Selected SignatureAlgorithmIdentifier: " + sigAlgIdentifier);
+    return sigAlgIdentifier;
+
+  }
+
+  private String getInternalSignatureAlgorithmName(KeyEntryID selectedKeyID)
+      throws AlgorithmUnavailableException {
 
     final TransactionContext context =
         TransactionContextManager.getInstance().getTransactionContext();
@@ -174,21 +188,35 @@ public class XMLSignatureCreationProfileImpl
           e,
           null);
     }
+    Logger.trace("RSASSA-PSS: " + rsaSsaPss + " XAdESDigistAlg: " + digestMethodXAdES142
+        + " Algorithms: " + StringUtils.join(algorithms, ","));
 
+    // TODO: maybe add support for parameterized RSASSA-PSS
     if (digestMethodXAdES142 == null) {
       // XAdES 1.4.2 not enabled - legacy MOA
-      if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)
+      if (rsaSsaPss
+          && (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)
+              || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)
+              || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1))) {
+        return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1;
+
+      } else if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)
           || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
           || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA)
           || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA)
           || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
-          || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+          || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)
+          || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)
+          || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
+
+        return SignatureAlgorithms.SHA256_WITH_RSA;
 
-        return SignatureAlgorithms.SHA1_WITH_RSA;
       } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) {
         return SignatureAlgorithms.ECDSA;
+
       } else if (algorithms.contains(SignatureAlgorithms.DSA)) {
         return SignatureAlgorithms.DSA;
+
       } else {
         throw new AlgorithmUnavailableException(
             "No algorithm for key entry: " + selectedKeyID,
@@ -219,7 +247,10 @@ public class XMLSignatureCreationProfileImpl
         }
 
       } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) {
-        if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
+        if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) {
+          return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1;
+
+        } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
           return SignatureAlgorithms.SHA256_WITH_RSA;
 
         } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) {
@@ -235,7 +266,10 @@ public class XMLSignatureCreationProfileImpl
               null);
         }
       } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) {
-        if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
+        if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) {
+          return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1;
+
+        } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
           return SignatureAlgorithms.SHA384_WITH_RSA;
 
         } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) {
@@ -251,7 +285,10 @@ public class XMLSignatureCreationProfileImpl
               null);
         }
       } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) {
-        if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
+        if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) {
+          return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1;
+
+        } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
           return SignatureAlgorithms.SHA512_WITH_RSA;
 
         } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) {
author	Thomas Lenz <thomas.lenz@a-sit.at>	2025-09-25 06:29:19 +0000
committer	Thomas Lenz <thomas.lenz@a-sit.at>	2025-09-25 06:29:19 +0000
commit	32d859478da3c8368213ba398b70b8ee39861f03 (patch)
tree	6190080e24df905ad07295b2f241f61c5cb77c94 /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik
parent	f332d5a3b6bbe0650f0f8485a1e92d4b2fe5dbf4 (diff)
parent	71c6b41accf6786cd790fd931c909f119979b2c6 (diff)
download	moa-sig-master.tar.gz moa-sig-master.tar.bz2 moa-sig-master.zip