diff options
| author | Thomas Lenz <thomas.lenz@a-sit.at> | 2025-09-25 06:29:19 +0000 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@a-sit.at> | 2025-09-25 06:29:19 +0000 |
| commit | 32d859478da3c8368213ba398b70b8ee39861f03 (patch) | |
| tree | 6190080e24df905ad07295b2f241f61c5cb77c94 /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke | |
| parent | f332d5a3b6bbe0650f0f8485a1e92d4b2fe5dbf4 (diff) | |
| parent | 71c6b41accf6786cd790fd931c909f119979b2c6 (diff) | |
| download | moa-sig-master.tar.gz moa-sig-master.tar.bz2 moa-sig-master.zip | |
Nightlybuild
See merge request egiz/moa-sig!3
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke')
7 files changed, 98 insertions, 65 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java index 5624f45..4ae1866 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -221,6 +221,7 @@ public class CMSSignatureCreationInvoker { // get digest algorithm final String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + final boolean useRsaSsaPss = isRsaSsaPssActive(config, keyGroupID); // create CMSSignatureCreation profile: final CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( @@ -230,7 +231,8 @@ public class CMSSignatureCreationInvoker { isSecurityLayerConform, includeData, mimetype, - isPAdESConformRequired); + isPAdESConformRequired, + useRsaSsaPss); // create CMSSignature from the CMSSignatureCreationModule // build the additionalSignedProperties @@ -344,13 +346,23 @@ public class CMSSignatureCreationInvoker { } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { // get digest method on key group level (if configured) final String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) final String configDigestMethod = config.getDigestMethodAlgorithmName(); + String digestMethod = null; if (configDigestMethodKG != null) { // if KG specific digest method is configured diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 1a0791b..7aca40e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -86,7 +86,7 @@ public class CMSSignatureVerificationInvoker { /** * Return the only instance of this class. - * + * * @return The only instance of this class. */ public static synchronized CMSSignatureVerificationInvoker getInstance() { @@ -98,7 +98,7 @@ public class CMSSignatureVerificationInvoker { /** * Create a new <code>CMSSignatureVerificationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected CMSSignatureVerificationInvoker() { @@ -106,7 +106,7 @@ public class CMSSignatureVerificationInvoker { /** * Verify a CMS signature. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the CMS * signature, as well as additional data needed for verification. * @return Element A <code>VerifyCMSSignatureResponse</code> containing the @@ -118,7 +118,7 @@ public class CMSSignatureVerificationInvoker { final CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory( request); - final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); + final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); final LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); InputStream signature; @@ -219,7 +219,7 @@ public class CMSSignatureVerificationInvoker { } } - final QCSSCDResult qcsscdresult = new QCSSCDResult(); + final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); // build the response: for each signatory add the result to the response signatories = request.getSignatories(); @@ -248,7 +248,7 @@ public class CMSSignatureVerificationInvoker { handlePDFResult(resultObject, responseBuilder, trustProfile); } } catch (final IndexOutOfBoundsException e) { - throw new MOAApplicationException("2249", new Object[] { new Integer(sigIndex) }); + throw new MOAApplicationException("2249", new Object[] { Integer.valueOf(sigIndex) }); } } } @@ -402,8 +402,8 @@ public class CMSSignatureVerificationInvoker { i++; } - qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile - .isTSLEnabled(), ConfigurationProvider.getInstance()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), + trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); // get signer certificate issuer country code issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); @@ -419,7 +419,7 @@ public class CMSSignatureVerificationInvoker { /** * Get the signed content contained either in the request itself or given as a * reference to external data. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the * signed content (or the reference to the signed content). * @return InputStream A stream providing the signed content data, or diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java index bc5d884..bca9b8e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java @@ -69,12 +69,12 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>SignatureEnvironment</code> element to the response. * - * @param signatureEnvironment The content to put under the - * <code>SignatureEnvironment</code> element. This - * should either be a <code>dsig:Signature</code> - * element (in case of a detached signature) or the - * signature environment containing the signature - * (in case of an enveloping signature). + * @param base64value The content to put under the + * <code>SignatureEnvironment</code> element. This should + * either be a <code>dsig:Signature</code> element (in case + * of a detached signature) or the signature environment + * containing the signature (in case of an enveloping + * signature). */ public void addCMSSignature(String base64value) { final CMSSignatureResponse responseElement = @@ -84,7 +84,7 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>ErrorResponse</code> element to the response. - * + * * @param errorCode The error code. * @param info Additional information about the error. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 813d28e..79b4c29 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -74,15 +74,26 @@ public class VerifyCMSSignatureResponseBuilder { /** * Add a verification result to the response. * - * @param result The result to add. - * @param trustprofile The actual trustprofile - * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the - * certificate as qualified, otherwise <code>false</code>. - * @param checkSSCD <code>true</code>, if the TSL check verifies the - * signature based on a SSDC, otherwise - * <code>false</code>. - * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from - * the TSL, otherwise <code>false</code>. + * @param result The result to add. + * @param trustProfile The actual trustprofile + * @param checkQC <code>true</code>, if the TSL check + * verifies the certificate as qualified, + * otherwise <code>false</code>. + * @param qcSourceTSL <true> if QC info comes from the TSL, + * otherwise <code>false</code>. + * @param checkSSCD <code>true</code>, if the TSL check + * verifies the signature based on a SSDC, + * otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD + * information comes from the TSL, + * otherwise <code>false</code>. + * @param issuerCountryCode TSL issuer country + * @param adesResults Form validation results + * @param extendedCertificateCheckResult Extended validation results + * @param tslInfos Full TSL validation result + * @param extendedVerification <code>true</code> if extended + * validation was used, otherwise + * <code>false</code> * @throws MOAException */ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, @@ -150,7 +161,7 @@ public class VerifyCMSSignatureResponseBuilder { } /** - * + * * @param result * @param trustProfile * @param checkQC diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 7e882ed..25ce8d1 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -515,7 +515,7 @@ public class VerifyXMLSignatureResponseBuilder { try { if (refInfo.isHashCalculated() && !refInfo.isHashValid()) { - failedReferencesList.add(new Integer(i + 1)); + failedReferencesList.add(Integer.valueOf(i + 1)); } } catch (final HashUnavailableException e) { // nothing to do here because we called refInfo.isHashCalculated first diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index c097b0c..46c4983 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -191,8 +191,10 @@ public class XMLSignatureCreationProfileFactory { } } + final XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142, + isRsaSsaPssActive(config, keyGroupID)); // build the transformation supplements createTransformsProfiles = @@ -260,6 +262,21 @@ public class XMLSignatureCreationProfileFactory { return profile; } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + + Logger.trace("Config using RSASSA-PSS. KeyStore: " + + useRsaSsaPssKg != null + ? useRsaSsaPssKg + : "NOT-DEFINED" + + " Default: " + config); + + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + /** * Get the <code>List</code> of all <code>CreateTransformsInfoProfile</code>s * contained in all the <code>DataObjectInfo</code>s of the given diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index b97cc95..0fb2d82 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -110,34 +110,27 @@ import iaik.xml.crypto.utils.URIException; public class XMLSignatureVerificationInvoker { /** The single instance of this class. */ - private static XMLSignatureVerificationInvoker instance = null; + private static final XMLSignatureVerificationInvoker INSTANCE = new XMLSignatureVerificationInvoker(); - private static Set FILTERED_REF_TYPES; - - static { - FILTERED_REF_TYPES = new HashSet(); - FILTERED_REF_TYPES.add(DsigManifest.XML_DSIG_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD); - FILTERED_REF_TYPES.add(XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties"); - FILTERED_REF_TYPES.add("http://uri.etsi.org/01903#SignedProperties"); - } + private static final Set<String> FILTERED_REF_TYPES = Set.of( + DsigManifest.XML_DSIG_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD, + XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties", + "http://uri.etsi.org/01903#SignedProperties"); /** * Get the single instance of this class. - * + * * @return The single instance of this class. */ - public static synchronized XMLSignatureVerificationInvoker getInstance() { - if (instance == null) { - instance = new XMLSignatureVerificationInvoker(); - } - return instance; + public static XMLSignatureVerificationInvoker getInstance() { + return INSTANCE; } /** * Create a new <code>XMLSignatureCreationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected XMLSignatureVerificationInvoker() { @@ -146,8 +139,8 @@ public class XMLSignatureVerificationInvoker { /** * Process the <code>VerifyXMLSignatureRequest<code> message and invoke the * <code>XMLSignatureVerificationModule</code>. - * - * @param request A <code>VerifyXMLSignatureRequest<code> API object + * + * @param request A <code>VerifyXMLSignatureRequest<code> API object * containing the data for verifying an XML signature. * @return A <code>VerifyXMLSignatureResponse</code> containing the answert * to the <code>VerifyXMLSignatureRequest</code>. MOA schema @@ -307,16 +300,16 @@ public class XMLSignatureVerificationInvoker { /** * Checks if the signer certificate matches one of the allowed signer * certificates specified in the provided <code>trustProfile</code>. - * + * * @param result The result produced by the * <code>XMLSignatureVerificationModule</code>. - * + * * @param trustProfile The trust profile the signer certificate is validated * against. - * + * * @return The overal result of the certificate validation for the signer * certificate. - * + * * @throws MOAException if one of the signer certificates specified in the * <code>trustProfile</code> cannot be read from the file * system. @@ -392,7 +385,7 @@ public class XMLSignatureVerificationInvoker { /** * Select the <code>dsig:Signature</code> DOM element within the signature * environment. - * + * * @param signatureEnvironment The signature environment containing the * <code>dsig:Signature</code>. * @param request The <code>VerifyXMLSignatureRequest</code> @@ -425,7 +418,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the supplemental data objects contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param supplements A <code>List</code> of * <code>XMLDataObjectAssociation</code>s containing the * supplement data. @@ -458,7 +451,7 @@ public class XMLSignatureVerificationInvoker { /** * Get the supplemental data contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * supplemental data. * @return A <code>List</code> of <code>XMLDataObjectAssociation</code> objects @@ -490,7 +483,7 @@ public class XMLSignatureVerificationInvoker { /** * Perform additional validations of the * <code>XMLSignatureVerificationResult</code>. - * + * * <p> * In particular, it is verified that: * <ul> @@ -500,7 +493,7 @@ public class XMLSignatureVerificationInvoker { * <li>The hash values of the <code>TransformParameter</code>s are valid.</li> * </ul> * </p> - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * signature to verify. * @param result The result produced by @@ -546,7 +539,7 @@ public class XMLSignatureVerificationInvoker { } if (!found) { - final Integer refIndex = new Integer(refData.getReferenceIndex()); + final Integer refIndex = Integer.valueOf(refData.getReferenceIndex()); final String logMsg = msg.getMessage("invoker.01", new Object[] { refIndex }); failedReferencesList.add(refIndex); @@ -588,8 +581,8 @@ public class XMLSignatureVerificationInvoker { final int[] failedReferences = new int[] { ref.getReferenceIndex() }; final ReferencesCheckResultInfo checkInfo = factory.createReferencesCheckResultInfo(null, failedReferences); - final String logMsg = msg.getMessage("invoker.02", new Object[] { new Integer(ref - .getReferenceIndex()) }); + final String logMsg = msg.getMessage("invoker.02", new Object[] { + Integer.valueOf(ref.getReferenceIndex()) }); Logger.debug(new LogMsg(logMsg)); @@ -605,7 +598,7 @@ public class XMLSignatureVerificationInvoker { * Get all <code>Transform</code>s contained in all the * <code>VerifyTransformsInfoProfile</code>s of the given * <code>ReferenceInfo</code>. - * + * * @param refInfo The <code>ReferenceInfo</code> object containing the * transformations. * @return A <code>List</code> of <code>List</code>s. Each of the @@ -637,7 +630,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the <code>Set</code> of all <code>TransformParameter</code> URIs. - * + * * @param transformParameters The <code>List</code> of * <code>TransformParameter</code>s, as provided to * the verification. @@ -658,7 +651,7 @@ public class XMLSignatureVerificationInvoker { /** * Build a mapping between <code>TransformParameter</code> URIs (a * <code>String</code> and <code>dsig:HashValue</code> (a <code>byte[]</code>). - * + * * @param request The <code>VerifyXMLSignatureRequest</code>. * @return Map The resulting mapping. * @throws MOAApplicationException An error occurred accessing one of the @@ -703,7 +696,7 @@ public class XMLSignatureVerificationInvoker { * Filter the <code>ReferenceInfo</code>s returned by the * <code>VerifyXMLSignatureResult</code> for comparison with the * <code>ReferenceInfo</code> elements in the request. - * + * * @param referenceInfos The <code>ReferenceInfo</code>s from the * <code>VerifyXMLSignatureResult</code>. * @return A <code>List</code> of all <code>ReferenceInfo</code>s whose type is |