diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-01-02 16:35:43 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-01-02 16:35:43 +0100 |
commit | 8574f931c169248c67c3a5946351f9072628af46 (patch) | |
tree | 56ac39e631af4cd11058c4ba1193180af9d2e1fe /moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server | |
parent | aabb36836ebfca9fe8cdc70dff13c0be7e5e761c (diff) | |
download | moa-sig-8574f931c169248c67c3a5946351f9072628af46.tar.gz moa-sig-8574f931c169248c67c3a5946351f9072628af46.tar.bz2 moa-sig-8574f931c169248c67c3a5946351f9072628af46.zip |
first untested beta version with new TSL lib
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server')
11 files changed, 384 insertions, 336 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 6c826ad..1b47013 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -42,6 +42,7 @@ import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.net.MalformedURLException; +import java.net.URISyntaxException; import java.security.Principal; import java.util.ArrayList; import java.util.Arrays; @@ -70,6 +71,7 @@ import at.gv.egovernment.moaspss.logging.Logger; import at.gv.egovernment.moaspss.util.Constants; import at.gv.egovernment.moaspss.util.DOMUtils; import at.gv.egovernment.moaspss.util.FileUtils; +import at.gv.egovernment.moaspss.util.MiscUtil; import at.gv.egovernment.moaspss.util.StringUtils; import at.gv.egovernment.moaspss.util.XPathUtils; @@ -1220,238 +1222,105 @@ public class ConfigurationPartsBuilder { * * @return The profile ID to profile mapping. */ - public Map buildTrustProfiles(String tslWorkingDir) + + public Map buildTrustProfiles() { Map trustProfiles = new HashMap(); NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); Element profileElem; - while ((profileElem = (Element) profileIter.nextNode()) != null) - { - String id = getElementValue(profileElem, CONF + "Id", null); - String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null); - String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null); - Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); - boolean tslEnabled = false; - if (eutslElem != null) //EUTSL element found --> TSL enabled - tslEnabled = true; - - String countries = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "CountrySelection", null); - - URI trustAnchorsLocURI = null; - try - { - trustAnchorsLocURI = new URI(trustAnchorsLocStr); - if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file - trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr); - } - } - catch (URIException e) { - warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e); - continue; - } - catch (MalformedURLException e) - { - warn("config.15", new Object[] {id}, e); - continue; - } - - File profileDir = new File(trustAnchorsLocURI.getPath()); - if (!profileDir.exists() || !profileDir.isDirectory()) { - warn("config.27", new Object[] { "uri", id }); - continue; - } - - - - if (trustProfiles.containsKey(id)) { - warn("config.04", new Object[] { "TrustProfile", id }); - continue; - } - - URI signerCertsLocURI = null; - if (signerCertsLocStr != null && !"".equals(signerCertsLocStr)) - { + while ((profileElem = (Element) profileIter.nextNode()) != null) { + //load basic TrustProfile information + + //check TrustProfileId + String id = getElementValue(profileElem, CONF + "Id", null); + if (MiscUtil.isEmpty(id)) { + warn("config.52", new Object[]{"Id des TrustProfiles ist leer."}); + continue; + + } + //cast profileId to lowercase (changed in 3.0.1) + id = id.trim().toLowerCase(); + if (trustProfiles.containsKey(id)) { + warn("config.04", new Object[] { "TrustProfile", id }); + continue; + } + + //check location of TrustAnchor directory + String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null); + URI trustAnchorsLocURI = null; try { - signerCertsLocURI = new URI(signerCertsLocStr); - if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr); - - File signerCertsDir = new File(signerCertsLocURI.getPath()); - if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) { - warn("config.27", new Object[] { "signerCertsUri", id }); - continue; + trustAnchorsLocURI = new URI(trustAnchorsLocStr); + if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file + trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr); } } catch (URIException e) { - warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e); + warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e); continue; } - catch (MalformedURLException e) { + catch (MalformedURLException e) + { warn("config.15", new Object[] {id}, e); continue; } - } - - signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; - - TrustProfile profile = null; - - if (tslEnabled) { - // create new trust anchor location (=tslworking trust profile) - File fTslWorkingDir = new File(tslWorkingDir); - File tp = new File(fTslWorkingDir, "trustprofiles"); - if (!tp.exists()) - tp.mkdir(); - if (!tp.isDirectory()) { - error("config.50", new Object[] { tp.getPath() }); - } - - File tpid = new File(tp, id); - if (!tpid.exists()) - tpid.mkdir(); - if (!tpid.isDirectory()) { - error("config.50", new Object[] { tpid.getPath() }); - } - - - // create profile - profile = new TrustProfile(id, tpid.getAbsolutePath(), signerCertsLocStr, tslEnabled, countries); - - // set original uri (save original trust anchor location) - profile.setUriOrig(trustAnchorsLocURI.getPath()); - - // delete files in tslworking trust profile - File[] files = tpid.listFiles(); - for (File file : files) - file.delete(); - - // copy files from trustAnchorsLocURI into tslworking trust profile kopieren - File src = new File(trustAnchorsLocURI.getPath()); - files = src.listFiles(); - for (File file : files) { - FileUtils.copyFile(file, new File(tpid, file.getName())); - } - - - } else { - - profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, tslEnabled, countries); - - } - - trustProfiles.put(id, profile); - - } - - return trustProfiles; - } - - /** - * Build the trust profile mapping. - * - * @return The profile ID to profile mapping. - */ - public Map buildTrustProfiles() - { - Map trustProfiles = new HashMap(); - NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); - Element profileElem; - - while ((profileElem = (Element) profileIter.nextNode()) != null) - { - String id = getElementValue(profileElem, CONF + "Id", null); - String trustAnchorsLocStr = getElementValue(profileElem, CONF + "TrustAnchorsLocation", null); - String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null); - - URI trustAnchorsLocURI = null; - try - { - trustAnchorsLocURI = new URI(trustAnchorsLocStr); - if (!trustAnchorsLocURI.isAbsolute()) { // make it absolute to the config file - trustAnchorsLocURI = new URI(configRoot_.toURL() + trustAnchorsLocStr); + File profileDir = new File(trustAnchorsLocURI.getPath()); + if (!profileDir.exists() || !profileDir.isDirectory()) { + warn("config.27", new Object[] { "uri", id }); + continue; } - } - catch (URIException e) { - warn("config.14", new Object[] { "uri", id, trustAnchorsLocStr }, e); - continue; - } - catch (MalformedURLException e) - { - warn("config.15", new Object[] {id}, e); - continue; - } - File profileDir = new File(trustAnchorsLocURI.getPath()); - if (!profileDir.exists() || !profileDir.isDirectory()) { - warn("config.27", new Object[] { "uri", id }); - continue; - } - - - - if (trustProfiles.containsKey(id)) { - warn("config.04", new Object[] { "TrustProfile", id }); - continue; - } - - URI signerCertsLocURI = null; - if (signerCertsLocStr != null && !"".equals(signerCertsLocStr)) - { - try + //check signerCertsLocation URL + String signerCertsLocStr = getElementValue(profileElem, CONF + "SignerCertsLocation", null); + URI signerCertsLocURI = null; + if (signerCertsLocStr != null && !"".equals(signerCertsLocStr)) { - signerCertsLocURI = new URI(signerCertsLocStr); - if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr); - - File signerCertsDir = new File(signerCertsLocURI.getPath()); - if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) { - warn("config.27", new Object[] { "signerCertsUri", id }); + try + { + signerCertsLocURI = new URI(signerCertsLocStr); + if (!signerCertsLocURI.isAbsolute()) signerCertsLocURI = new URI(configRoot_.toURL() + signerCertsLocStr); + + File signerCertsDir = new File(signerCertsLocURI.getPath()); + if (!signerCertsDir.exists() || !signerCertsDir.isDirectory()) { + warn("config.27", new Object[] { "signerCertsUri", id }); + continue; + } + } + catch (URIException e) { + warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e); continue; } - } - catch (URIException e) { - warn("config.14", new Object[] { "signerCertsUri", id, trustAnchorsLocStr }, e); - continue; - } - catch (MalformedURLException e) { - warn("config.15", new Object[] {id}, e); - continue; - } - } - - signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; - - TrustProfile profile = null; - - profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, false, null); + catch (MalformedURLException e) { + warn("config.15", new Object[] {id}, e); + continue; + } + } + signerCertsLocStr = (signerCertsLocURI != null) ? signerCertsLocURI.toString() : null; + + + //check if TSL support is enabled + Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); + boolean tslEnabled = false; + if (eutslElem != null) //EUTSL element found --> TSL enabled + tslEnabled = true; + + //load TSL configuration + String countries = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "CountrySelection", null); + String allowedTspStatus = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "AllowedTSPStatus", null); + String allowedTspServiceTypes = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "AllowedTSPServiceTypes", null); - trustProfiles.put(id, profile); + + //create profile configuration + TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, + tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes); + trustProfiles.put(id, profile); } return trustProfiles; } - - /** - * checks if a trustprofile with TSL support is enabled - * - * @return true if TSL support is enabled in at least one trustprofile, else false - */ - public boolean checkTrustProfilesTSLenabled() - { - NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), TRUST_PROFILE_XPATH); - Element profileElem; - - boolean tslSupportEnabled = false; - while ((profileElem = (Element) profileIter.nextNode()) != null) { - Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); - if (eutslElem != null) //EUTSL element found --> TSL enabled - tslSupportEnabled = true; - } - - return tslSupportEnabled; - } - + /** * Returns the location of the certificate store. * @@ -1805,6 +1674,44 @@ public class ConfigurationPartsBuilder { debug("config.39", new Object[] { "WorkingDirectory", workingDirectoryStr }); } + String qcQualifier = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "Evaluation/" + CONF + "QCQualifier", null); + if (MiscUtil.isEmpty(qcQualifier)) + info("config.39", new Object[] { "Evaluation/QCQualifier", " EMPTY" }); + + else { + String[] qcQualList = qcQualifier.split(","); + for (String el : qcQualList) { + try { + tslconfiguration.addQualifierForQC(new java.net.URI(el.trim())); + //info("config.39", new Object[] { "Evaluation/QCQualifier", el.trim() }); + + } catch (URISyntaxException e) { + warn("config.39", new Object[] { "Evaluation/QCQualifier", el.trim() }, e); + + } + + } + } + + String sscdQualifier = getElementValue(getConfigElem(), TSL_CONFIGURATION_XPATH + CONF + "Evaluation/" + CONF + "SSCDQualifier", null); + if (MiscUtil.isEmpty(qcQualifier)) + info("config.39", new Object[] { "Evaluation/SSCDQualifier", " EMPTY" }); + + else { + String[] sscdQualList = sscdQualifier.split(","); + for (String el : sscdQualList) { + try { + tslconfiguration.addQualifierForSSCD(new java.net.URI(el.trim())); + //info("config.39", new Object[] { "Evaluation/SSCDQualifier", el.trim() }); + + } catch (URISyntaxException e) { + warn("config.39", new Object[] { "Evaluation/SSCDQualifier", el.trim() }, e); + + } + + } + } + // convert update schedule starting time to Date object Calendar Cal = DatatypeConverter.parseDateTime(updateScheduleStartTime); Date updateScheduleStartTimeDate = Cal.getTime(); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index d777d8f..79ef1d2 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -51,6 +51,7 @@ import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moaspss.logging.LogMsg; import at.gv.egovernment.moaspss.logging.Logger; import at.gv.egovernment.moaspss.util.DOMUtils; +import at.gv.egovernment.moaspss.util.MiscUtil; /** * A class providing access to the MOA configuration data. @@ -354,17 +355,17 @@ public class ConfigurationProvider // build the internal datastructures try { builder = new ConfigurationPartsBuilder(configElem, configRoot); + + //build TSL configuration + tslconfiguration_ = builder.getTSLConfiguration(); - if (builder.checkTrustProfilesTSLenabled()) { - debug("TSL support enabled for at least one trustprofile."); - tslconfiguration_ = builder.getTSLConfiguration(); - trustProfiles = builder.buildTrustProfiles(tslconfiguration_.getWorkingDirectory()); - } - else { - tslconfiguration_ = null; - trustProfiles = builder.buildTrustProfiles(); - } + //build TrustProfile configuration + trustProfiles = builder.buildTrustProfiles(); + //check TSL configuration + checkTSLConfiguration(); + + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -401,13 +402,10 @@ public class ConfigurationProvider revocationArchiveJDBCDriverClass_ = builder.getRevocationArchiveJDBCDriverClass(); - - //check TSL configuration - checkTSLConfiguration(); - + //TODO!!!! + certStoreLocation_ = builder.getCertStoreLocation(); - certStoreLocation_ = builder.getCertStoreLocation(); createTransformsInfoProfiles = builder.buildCreateTransformsInfoProfiles(); createSignatureEnvironmentProfiles = builder.buildCreateSignatureEnvironmentProfiles(); verifyTransformsInfoProfiles = builder.buildVerifyTransformsInfoProfiles(); @@ -451,19 +449,19 @@ public class ConfigurationProvider } } - private boolean checkTSLenableTrustprofilesExist()throws ConfigurationException { - boolean bTSLEnabledTPExist = false; - Iterator it = trustProfiles.entrySet().iterator(); - while (it.hasNext()) { - Map.Entry pairs = (Map.Entry)it.next(); - TrustProfile tp = (TrustProfile) pairs.getValue(); - if (tp.isTSLEnabled()) - bTSLEnabledTPExist = bTSLEnabledTPExist || true; - } - - return bTSLEnabledTPExist; - - } +// private boolean checkTSLenableTrustprofilesExist()throws ConfigurationException { +// boolean bTSLEnabledTPExist = false; +// Iterator it = trustProfiles.entrySet().iterator(); +// while (it.hasNext()) { +// Map.Entry pairs = (Map.Entry)it.next(); +// TrustProfile tp = (TrustProfile) pairs.getValue(); +// if (tp.isTSLEnabled()) +// bTSLEnabledTPExist = bTSLEnabledTPExist || true; +// } +// +// return bTSLEnabledTPExist; +// +// } private void checkTSLConfiguration() throws ConfigurationException { boolean bTSLEnabledTPExist = false; @@ -516,7 +514,7 @@ public class ConfigurationProvider return; } - System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); +// System.setProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR", hashcache.getAbsolutePath()); // String hashcachedir = System.getProperty("iaik.xml.crypto.tsl.BinaryHashCache.DIR"); // System.out.println("Hashcache: " + hashcachedir); @@ -826,7 +824,14 @@ public class ConfigurationProvider * <code>null</code>, if none exists. */ public TrustProfile getTrustProfile(String id) { - return (TrustProfile) trustProfiles.get(id); + + if (MiscUtil.isNotEmpty(id)) { + id = id.trim().toLowerCase(); + return (TrustProfile) trustProfiles.get(id); + + } + + return null; } /** diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 21063c7..f64643f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -24,6 +24,15 @@ package at.gv.egovernment.moa.spss.server.config; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import at.gv.egovernment.moa.sig.tsl.TslConstants; +import at.gv.egovernment.moaspss.logging.Logger; +import at.gv.egovernment.moaspss.util.MiscUtil; import iaik.x509.X509Certificate; /** @@ -39,14 +48,15 @@ public class TrustProfile { private String uri; /** The URI giving the location of the allowed signer certificates. */ private String signerCertsUri; + /** Defines if Trustprofile makes use of EU TSL*/ private boolean tslEnabled; - /** The original URI (out of the configuration) giving the location of the trust profile (used when TSL is enabled) */ - private String uriOrig; /** The countries given */ - private String countries; - /** */ - private X509Certificate[] certificatesToBeRemoved; + private List<String> countries = new ArrayList<String>(); + + private List<URI> allowedTspStatus = new ArrayList<URI>(); + private List<URI> allowedTspServiceTypes = new ArrayList<URI>(); + /** * Create a <code>TrustProfile</code>. @@ -55,16 +65,90 @@ public class TrustProfile { * @param uri The URI of the <code>TrustProfile</code> to create. * @param signerCertsUri The URI of the location of the allowed signer * certificates of the <code>TrustProfile</code> to create. + * @param allowedTspServiceTypes + * @param allowedTspStatus */ - public TrustProfile(String id, String uri, String signerCertsUri, boolean tslEnabled, String countries) { + public TrustProfile(String id, String uri, String signerCertsUri, + boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes) { this.id = id; this.uri = uri; this.signerCertsUri = signerCertsUri; + + //TSL configuration parameters this.tslEnabled = tslEnabled; - this.countries = countries; - this.certificatesToBeRemoved = new X509Certificate[0]; + + setCountries(countries); + Logger.debug("TrustProfile "+ id + " allows " + Arrays.toString(this.countries.toArray()) + " TSL countries"); + + setAllowedTspStatus(allowedTspStatus); + Logger.debug("TrustProfile "+ id + " allows " + Arrays.toString(this.allowedTspStatus.toArray()) + " TSP status identifier"); + + setAllowedTspServiceTypes(allowedTspServiceTypes); + Logger.debug("TrustProfile "+ id + " allows " + Arrays.toString(this.allowedTspServiceTypes.toArray()) + " TSL service-type identifier"); + } + private void setCountries(String countries) { + if (MiscUtil.isNotEmpty(countries)) { + String[] ccArray = countries.split(","); + for (String el : ccArray) + this.countries.add(el.trim()); + + } + } + + private void setAllowedTspStatus(String allowedTspStatus) { + if (MiscUtil.isNotEmpty(allowedTspStatus)) { + String[] ccArray = allowedTspStatus.split(","); + for (String el : ccArray) { + try { + this.allowedTspStatus.add(new URI(el.trim())); + + } catch (URISyntaxException e) { + Logger.warn("TrustProfile: " + this.id + " contains a non-valid TSP Status identifier (" + el + ")"); + + } + + } + + } else { + Logger.info("Use default set of TSP Status identifier"); + this.allowedTspStatus.addAll( + Arrays.asList( + TslConstants.SERVICE_STATUS_SORT_TO_URI.get(TslConstants.SERVICE_STATUS_SHORT.granted), + TslConstants.SERVICE_STATUS_SORT_TO_URI.get(TslConstants.SERVICE_STATUS_SHORT.recognisedatnationallevel), + TslConstants.SERVICE_STATUS_SORT_TO_URI.get(TslConstants.SERVICE_STATUS_SHORT.accredited), + TslConstants.SERVICE_STATUS_SORT_TO_URI.get(TslConstants.SERVICE_STATUS_SHORT.undersupervision))); + + } + + } + + private void setAllowedTspServiceTypes(String allowedTspServiceTypes) { + if (MiscUtil.isNotEmpty(allowedTspServiceTypes)) { + String[] ccArray = allowedTspServiceTypes.split(","); + for (String el : ccArray) { + try { + this.allowedTspStatus.add(new URI(el.trim())); + + } catch (URISyntaxException e) { + Logger.warn("TrustProfile: " + this.id + " contains a non-valid TSP Service-Type identifier (" + el + ")"); + + } + + } + + } else { + Logger.info("Use default set of TSP Service-Type identifier"); + this.allowedTspStatus.addAll( + Arrays.asList( + TslConstants.SERVICE_STATUS_SORT_TO_URI.get(TslConstants.SERVICE_TYPE_SHORT.CA_QC), + TslConstants.SERVICE_STATUS_SORT_TO_URI.get(TslConstants.SERVICE_TYPE_SHORT.TSA_QTST))); + + } + + } + /** * Return the ID of this <code>TrustProfile</code>. * @@ -83,14 +167,6 @@ public class TrustProfile { return uri; } - /** - * Return the original URI of this <code>TrustProfile</code>. - * - * @return The original URI of <code>TrustProfile</code>. - */ - public String getUriOrig() { - return uriOrig; - } /** * Return the URI giving the location of the allowed signer certificates @@ -112,21 +188,21 @@ public class TrustProfile { * Returns the given countries * @return Given countries */ - public String getCountries() { + public List<String> getCountries() { if (!tslEnabled) return null; else return countries; } - - - /** - * Sets the original URI of this <code>TrustProfile</code>. - * - * @return The original URI of <code>TrustProfile</code>. - */ - public void setUriOrig(String uriOrig) { - this.uriOrig = uriOrig; + + public List<URI> getAllowedTspStatus() { + return allowedTspStatus; + } + + public List<URI> getAllowedTspServiceTypes() { + return allowedTspServiceTypes; } + + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java index a4f7660..1aa5f6a 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CertStoreConfigurationImpl.java @@ -30,9 +30,11 @@ import org.apache.commons.io.FileUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egovernment.moa.sig.tsl.exception.TslException; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; +import at.gv.egovernment.moa.spss.tsl.TSLServiceFactory; import iaik.logging.Log; import iaik.pki.store.certstore.CertStoreConfiguration; import iaik.pki.store.certstore.CertStoreParameters; @@ -68,7 +70,20 @@ public class CertStoreConfigurationImpl extends AbstractObservableConfiguration DirectoryCertStoreParameters dirParameters = new DirectoryCertStoreParametersImpl("MOA Directory CertStore", certStoreRoot, true, false); - parameters = new CertStoreParameters[] { dirParameters }; + if (TSLServiceFactory.isInitialized()) { + try { + CertStoreParameters tslCertStore = TSLServiceFactory.getTSLServiceClient().getCertStoreWithTSLCertificates(); + parameters = new CertStoreParameters[] { dirParameters, tslCertStore}; + + } catch (TslException e) { + logger.warn("TSL based CertStore initialisation FAILED.", e); + logger.warn("Only Directory based CertStore is used ... "); + parameters = new CertStoreParameters[] { dirParameters }; + } + + } else + parameters = new CertStoreParameters[] { dirParameters }; + } /** diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java index 3f6998a..b776255 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java @@ -27,11 +27,21 @@ import iaik.pki.PKIProfile; import iaik.pki.pathvalidation.ValidationProfile; import iaik.pki.revocation.RevocationProfile; import iaik.pki.store.truststore.TrustStoreProfile; +import iaik.pki.store.truststore.TrustStoreTypes; + +import java.util.Arrays; + +import at.gv.egovernment.moa.sig.tsl.exception.TslPKIException; +import at.gv.egovernment.moa.sig.tsl.pki.TslTrustStoreProfile; +import at.gv.egovernment.moa.sig.tsl.pki.chaining.ChainingTrustStoreProfile; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.config.TrustProfile; import at.gv.egovernment.moa.spss.server.iaik.pki.pathvalidation.ValidationProfileImpl; import at.gv.egovernment.moa.spss.server.iaik.pki.revocation.RevocationProfileImpl; import at.gv.egovernment.moa.spss.server.iaik.pki.store.truststore.TrustStoreProfileImpl; +import at.gv.egovernment.moa.spss.tsl.TSLServiceFactory; +import at.gv.egovernment.moaspss.logging.Logger; /** * Implementation of the <code>PKIProfile</code> interface containing @@ -70,10 +80,58 @@ public class PKIProfileImpl implements PKIProfile { this.config = config; setRevocationProfile(new RevocationProfileImpl(config)); - setTrustStoreProfile(new TrustStoreProfileImpl(config, trustProfileID)); setValidationProfile(new ValidationProfileImpl(config)); + + //generate TrustStoreProfile from TrustStore configuration + internalTrustProfileBuilder(trustProfileID); + } + + private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { + TrustProfile tp = (TrustProfile) config.getTrustProfile(trustProfileId); + if (tp != null) { + //build directory based trust store as default + + + if (tp.isTSLEnabled()) { + //build TSL truststore if enabled + TslTrustStoreProfile tslTrustStore; + try { + tslTrustStore = TSLServiceFactory.getTSLServiceClient(). + buildTrustStoreProfile( + tp.getCountries(), + tp.getAllowedTspStatus(), + tp.getAllowedTspServiceTypes(), + trustProfileId + "_TSL"); + + //build Directory based TrustStore + TrustStoreProfileImpl directoryTrustStore = new TrustStoreProfileImpl(trustProfileId + "_Directory", tp.getUri()); + + //generate a virtual truststore that concatenates the TSL TrustStore and the directory TrustStore + ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( + Arrays.asList(tslTrustStore, directoryTrustStore), + trustProfileId); + + //set this virtual truststore + setTrustStoreProfile(chainedProfile); + + } catch (TslPKIException e) { + Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); + throw new MOAApplicationException("2900", new Object[] { trustProfileId }); + + } + + } else + setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); + + } else { + throw new MOAApplicationException("2203", new Object[] { trustProfileId }); + + } + + } + /** * @see iaik.pki.PKIProfile#autoAddCertificates() */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java index 50f237a..c9f4f28 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java @@ -60,6 +60,25 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { /** The URI of the trust profile.*/ private String URI; + + /** + * Create a new <code>TrustStoreProfileImpl</code>. + * + * @param config The MOA configuration data, from which trust store + * configuration data is read. + * @param trustProfileId The trust profile id on which this + * <code>TrustStoreProfile</code> is based. + * @throws MOAApplicationException The <code>trustProfileId</code> could not + * be found in the MOA configuration. + */ + public TrustStoreProfileImpl(String trustProfileId, String trustProfileUri) + throws MOAApplicationException { + id_ = trustProfileId; + setURI(trustProfileUri); + setType(TrustStoreTypes.DIRECTORY); + + } + /** * Create a new <code>TrustStoreProfileImpl</code>. * @@ -70,6 +89,7 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { * @throws MOAApplicationException The <code>trustProfileId</code> could not * be found in the MOA configuration. */ + @Deprecated public TrustStoreProfileImpl( ConfigurationProvider config, String trustProfileId) diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 28f0645..8ff0b12 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -36,13 +36,13 @@ import java.util.Timer; import org.slf4j.LoggerFactory; +import at.gv.egovernment.moa.sig.tsl.config.TslConfigurationImpl; import at.gv.egovernment.moa.spss.MOAException; import at.gv.egovernment.moa.spss.api.common.TSLConfiguration; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; import at.gv.egovernment.moa.spss.server.service.RevocationArchiveCleaner; -import at.gv.egovernment.moa.spss.tsl.connector.MOATSLVerifier; -import at.gv.egovernment.moa.spss.tsl.connector.TSLConnector; +import at.gv.egovernment.moa.spss.tsl.TSLServiceFactory; import at.gv.egovernment.moa.spss.tsl.timer.TSLUpdaterTimerTask; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moaspss.logging.LogMsg; @@ -55,10 +55,6 @@ import iaik.asn1.ObjectID; import iaik.pki.store.certstore.CertStoreException; import iaik.pki.store.truststore.TrustStoreException; import iaik.server.ConfigurationData; -import iaik.xml.crypto.tsl.SecuredSAXParserFactoryImpl; -import iaik.xml.crypto.tsl.ex.TSLEngineDiedException; -import iaik.xml.crypto.tsl.ex.TSLSearchException; -import iaik.xml.crypto.tsl.verify.ITSLVerifierFactory; /** * MOA SP/SS web service initialization. @@ -150,55 +146,33 @@ public class SystemInitializer { ConfigurationProvider config = ConfigurationProvider.getInstance(); Logger.info("Building ConfigurationData"); ConfigurationData configData = new IaikConfigurator().configure(config); - + //initialize TSL module - TSLConfiguration tslconfig = config.getTSLConfiguration(); - - TSLConnector tslconnector = new TSLConnector(); - if (tslconfig != null) { - //Logger.info(new LogMsg(msg.getMessage("init.01", null))); - SecuredSAXParserFactoryImpl.newInstance(); - Logger.info(new LogMsg(msg.getMessage("config.41", null))); - - ITSLVerifierFactory.setITSLVerifier(new MOATSLVerifier()); + TSLConfiguration moaSPTslConfig = config.getTSLConfiguration(); + if (moaSPTslConfig != null) { + TslConfigurationImpl tslConfig = new TslConfigurationImpl(); + tslConfig.setEuTslURL(moaSPTslConfig.getEuTSLUrl()); + tslConfig.setTslWorkingDirectory(moaSPTslConfig.getWorkingDirectory()); - tslconnector.initialize(tslconfig.getEuTSLUrl(), tslconfig.getWorkingDirectory(), null, null); - - } - - //start TSL Update - TSLUpdaterTimerTask.tslconnector_ = tslconnector; - TSLUpdaterTimerTask.configData_ = configData; - TSLUpdaterTimerTask.update(); - - //initialize TSL Update Task - initTSLUpdateTask(tslconfig); - - runInitializer(config); + Logger.info(new LogMsg(msg.getMessage("config.41", null))); + TSLServiceFactory.initialize(tslConfig); + Logger.info("TSL-Service client initialization finished"); + + //initialize TSL Update Task + initTSLUpdateTask(moaSPTslConfig); + + } - Logger.info(new LogMsg(msg.getMessage("init.01", null))); + runInitializer(config); + Logger.info(new LogMsg(msg.getMessage("init.01", null))); + } catch (MOAException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } - catch (TSLEngineDiedException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } - catch (TSLSearchException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } - catch (CertStoreException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (TrustStoreException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (FileNotFoundException e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (IOException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (CertificateException e) { - Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); - } catch (Throwable e) { + + } catch (Throwable e) { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); throw new RuntimeException(e); + } finally { logger.info("Configuration initialized"); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index ba0474c..1508b42 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -42,6 +42,7 @@ import at.gv.egovernment.moa.spss.api.cmsverify.CMSDataObject; import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest; import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse; import at.gv.egovernment.moa.spss.api.common.ExtendedCertificateCheckResult; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moa.spss.server.config.TrustProfile; import at.gv.egovernment.moa.spss.server.logging.IaikLog; import at.gv.egovernment.moa.spss.server.logging.TransactionId; @@ -304,7 +305,7 @@ public class CMSSignatureVerificationInvoker { i++; } - qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); // get signer certificate issuer country code issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); @@ -312,7 +313,8 @@ public class CMSSignatureVerificationInvoker { } responseBuilder.addResult(cmsResult, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), - qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode, adesResults, extCheckResult); + qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode, adesResults, extCheckResult, + qcsscdresult.getTslInfos()); } private void handlePDFResult(Object resultObject, VerifyCMSSignatureResponseBuilder responseBuilder, @@ -371,7 +373,7 @@ public class CMSSignatureVerificationInvoker { i++; } - qcsscdresult = CertificateUtils.checkQCSSCD(chain, trustProfile.isTSLEnabled()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); // get signer certificate issuer country code issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); @@ -380,7 +382,7 @@ public class CMSSignatureVerificationInvoker { responseBuilder.addResult(cmsResult, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode, adesResults, - extCheckResult); + extCheckResult, qcsscdresult.getTslInfos()); } /** diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java index 1136ff2..6e8448b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/IaikExceptionMapper.java @@ -84,8 +84,7 @@ public class IaikExceptionMapper { { iaik.server.modules.xmlverify.SupplementException.class, "2230", MOAApplicationException.class }, { iaik.server.modules.xmlverify.TransformationException.class, "2265", MOAApplicationException.class }, { iaik.server.modules.xmlverify.TransformationParsingException.class, "2269", MOAApplicationException.class }, - { iaik.xml.crypto.tsl.ex.TSLEngineDiedException.class, "2290", MOAApplicationException.class }, - { iaik.xml.crypto.tsl.ex.TSLSearchException.class, "2290", MOAApplicationException.class } , + { at.gv.egovernment.moa.sig.tsl.exception.TslException.class, "2290", MOAApplicationException.class }, { iaik.server.modules.cmssign.CMSSignatureCreationException.class, "2300", MOAApplicationException.class } , @@ -157,20 +156,9 @@ public class IaikExceptionMapper { * @return A <code>MOAException</code> containing the message for the * given <code>IAIKException</code>. */ - public MOAException map(iaik.xml.crypto.tsl.ex.TSLSearchException tslSearchException) { + public MOAException map(at.gv.egovernment.moa.sig.tsl.exception.TslException tslSearchException) { return mapImpl(tslSearchException); } - - /** - * Map an <code>iaik.xml.crypto.tsl.ex.TSLEngineDiedException</code> to a <code>MOAException</code>. - * - * @param tslEngineDiedException The <code>iaik.xml.crypto.tsl.ex.TSLEngineDiedException</code> to map. - * @return A <code>MOAException</code> containing the message for the - * given <code>IAIKException</code>. - */ - public MOAException map(iaik.xml.crypto.tsl.ex.TSLEngineDiedException tslEngineDiedException) { - return mapImpl(tslEngineDiedException); - } /** * Map an <code>IAIKException</code> to a <code>MOAException</code>. diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index fe2a9ad..5ada287 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -39,6 +39,7 @@ import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElemen import at.gv.egovernment.moa.spss.api.common.CheckResult; import at.gv.egovernment.moa.spss.api.common.ExtendedCertificateCheckResult; import at.gv.egovernment.moa.spss.api.common.SignerInfo; +import at.gv.egovernment.moa.spss.api.common.TslInfos; import at.gv.egovernment.moa.spss.server.config.TrustProfile; /** @@ -82,7 +83,7 @@ public class VerifyCMSSignatureResponseBuilder { * @throws MOAException */ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode, List adesResults, - ExtendedCertificateCheckResult extendedCertificateCheckResult) + ExtendedCertificateCheckResult extendedCertificateCheckResult, TslInfos tslInfos) throws MOAException { CertificateValidationResult certResult = @@ -109,7 +110,8 @@ public class VerifyCMSSignatureResponseBuilder { checkSSCD, sscdSourceTSL, issuerCountryCode, - result.getSigningTime()); + result.getSigningTime(), + tslInfos); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); @@ -142,7 +144,7 @@ public class VerifyCMSSignatureResponseBuilder { * @throws MOAException */ public void addResult(PDFSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, boolean qcSourceTSL, boolean checkSSCD, boolean sscdSourceTSL, String issuerCountryCode, List adesResults, - ExtendedCertificateCheckResult extendedCertificateCheckResult) + ExtendedCertificateCheckResult extendedCertificateCheckResult, TslInfos tslInfos) throws MOAException { CertificateValidationResult certResult = @@ -169,7 +171,8 @@ public class VerifyCMSSignatureResponseBuilder { checkSSCD, sscdSourceTSL, issuerCountryCode, - result.getSigningTime()); + result.getSigningTime(), + tslInfos); // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index c3ebda4..827728c 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -277,8 +277,8 @@ public class XMLSignatureVerificationInvoker { chain[i] = (X509Certificate) it.next(); i++; } - - qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled()); + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, plainResult.getSigningTime(), tp.isTSLEnabled(), config); } // get signer certificate issuer country code @@ -303,7 +303,7 @@ public class XMLSignatureVerificationInvoker { // build the response responseBuilder.setResult(plainResult, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), - qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode); + qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode, qcsscdresult.getTslInfos()); return responseBuilder.getResponse(); } |