diff options
5 files changed, 103 insertions, 74 deletions
diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd index 986903d..279e027 100644 --- a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd +++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd @@ -137,6 +137,7 @@ <xs:element name="SignatureVerification" minOccurs="0"> <xs:complexType> <xs:sequence> + <xs:element name="StrictSignatureValueParsing" type="xs:boolean" minOccurs="0" maxOccurs="1" /> <xs:element name="CertificateValidation"> <xs:complexType> <xs:sequence> diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 6a79a87..dc18239 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -52,7 +52,6 @@ import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.api.common.TSLConfiguration; import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl; import at.gv.egovernment.moa.spss.api.xmlbind.ProfileParser; -import at.gv.egovernment.moa.spss.api.xmlbind.TransformParser; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moaspss.logging.LogMsg; import at.gv.egovernment.moaspss.logging.Logger; @@ -61,7 +60,6 @@ import at.gv.egovernment.moaspss.util.DOMUtils; import at.gv.egovernment.moaspss.util.MiscUtil; import at.gv.egovernment.moaspss.util.StringUtils; import at.gv.egovernment.moaspss.util.XPathUtils; -import iaik.asn1.structures.Name; //import iaik.ixsil.exceptions.URIException; //import iaik.ixsil.util.URI; import iaik.pki.pathvalidation.ChainingModes; @@ -69,7 +67,6 @@ import iaik.pki.revocation.RevocationSourceTypes; import iaik.server.modules.xml.BlackListEntry; import iaik.server.modules.xml.ExternalReferenceChecker; import iaik.server.modules.xml.WhiteListEntry; -import iaik.server.modules.xmlverify.TransformationParsingException; import iaik.utils.RFC2253NameParser; import iaik.utils.RFC2253NameParserException; import iaik.xml.crypto.utils.URI; @@ -100,7 +97,7 @@ public class ConfigurationPartsBuilder { private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0; private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true; - + // // XPath expressions to select certain parts of the configuration // @@ -180,6 +177,10 @@ public class ConfigurationPartsBuilder { + CONF + "PathConstruction/" + CONF + "AutoAddEECertificates"; + private static final String STRICT_SIGNATURE_VALUE_PARSING_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "StrictSignatureValueParsing"; + private static final String USE_AUTHORITY_INFO_ACCESS_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -212,17 +213,17 @@ public class ConfigurationPartsBuilder { + CONF + "RevocationChecking/" + CONF + "CrlRetentionIntervals/" + CONF + "CA"; - + private static final String SHORT_TIME_CERTS_INTERVALS_XPATH = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" + CONF + "RevocationChecking/" + CONF + "ShortTermedCertificates"; - + private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH = SHORT_TIME_CERTS_INTERVALS_XPATH + "/" + CONF + "CA"; - + private static final String ENABLE_REVOCATION_CHECKING_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -441,7 +442,7 @@ public class ConfigurationPartsBuilder { /** * Get the connection timeout to set-up a network connection - * + * * @return timeout in milliseconds [ms] */ public int getConnectionTimeout() { @@ -463,7 +464,7 @@ public class ConfigurationPartsBuilder { return defaultConnectionTimeout * 1000; } - + public int getReadTimeout() { final String connectionTimeout = getElementValue(getConfigElem(), READ_TIMEOUT_XPATH_, "30"); @@ -1086,7 +1087,7 @@ public class ConfigurationPartsBuilder { /** * Build the <code>CreateSignatureEnvironmentProfile</code>s. - * + * * @return The mapping from profile ID to profile. */ public Map buildCreateSignatureEnvironmentProfiles() { @@ -1100,20 +1101,20 @@ public class ConfigurationPartsBuilder { */ public Map buildVerifyTransformsInfoProfiles() { Map<String, Element> profiles = loadProfiles(VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, "VerifyTransformsInfoProfile"); - + // validate entries - ProfileParser profileParser = new ProfileParser(); + ProfileParser profileParser = new ProfileParser(); profiles.entrySet().forEach(el -> { try { profileParser.parseVerifyTransformsInfoProfile(el.getValue()); - + } catch (MOAApplicationException e) { Logger.warn("TransformationProfile with Id:" + el.getKey() + " is invalid: " + e.getMessage()); - } + } }); return profiles; - + } /** @@ -1506,7 +1507,7 @@ public class ConfigurationPartsBuilder { /** * Returns the JDBC driver class name for the revocation archive database. - * + * * @return the JDBC driver class name for the revocation archive database, or * <code>null</code, if the corresponding parameter is not set in the * configuration. @@ -1594,13 +1595,18 @@ public class ConfigurationPartsBuilder { public boolean getAutoEEAddCertificates() { final String autoAdd = getElementValue(getConfigElem(), AUTO_ADD_EE_CERTIFICATES_XPATH_, null); - if (autoAdd != null) { + if (autoAdd != null) { return Boolean.valueOf(autoAdd).booleanValue(); - + } else { return false; - + } + } + + public boolean isStrictSignatureValueParsingEnabled() { + final String isActive = getElementValue(getConfigElem(), STRICT_SIGNATURE_VALUE_PARSING_XPATH_, "true"); + return Boolean.valueOf(isActive).booleanValue(); } @@ -1757,53 +1763,53 @@ public class ConfigurationPartsBuilder { return map; } - + /** * Should ETSI extension should be used for short-time certificate validation. - * + * * @return <code>true</code> if it is used */ public boolean isShotTimeCertEtsiExtCheck() { final NodeIterator modIter = XPathUtils.selectNodeIterator( getConfigElem(), SHORT_TIME_CERTS_INTERVALS_XPATH); - + Element modElem; - if ((modElem = (Element) modIter.nextNode()) != null) { - Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); - Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); + Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); return value; - + } - - return SHORT_TIME_CERT_DEFAULT_ETSI; + + return SHORT_TIME_CERT_DEFAULT_ETSI; } - + /** * Get default shortTime certificate interval. - * + * * @return Time in minutes */ public int getShotTimeCertDefaultInterval() { final NodeIterator modIter = XPathUtils.selectNodeIterator( getConfigElem(), SHORT_TIME_CERTS_INTERVALS_XPATH); - + Element modElem; if ((modElem = (Element) modIter.nextNode()) != null) { String defaultString = modElem.getAttribute("defaultValidityPeriod"); Logger.debug("Set default shortTimePeriodInterval to: " + defaultString); return Integer.valueOf(defaultString); - + } - - return SHORT_TIME_CERT_DEFAULT_INTERVAL; + + return SHORT_TIME_CERT_DEFAULT_INTERVAL; } - - + + /** * Returns a map of shortTime certificate intervals. - * + * * <p> * No revocation checks are performed during this interval. * </p> @@ -1824,10 +1830,10 @@ public class ConfigurationPartsBuilder { final Integer interval = new Integer(i); map.put(x509IssuerName, interval); Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); - + } return map; } - + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 85930b2..3c720a1 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -112,6 +112,9 @@ public class ConfigurationProvider { private int connectionTimeout; private int readTimeout; + /** Enable strict parsing or ASN.1 signature values */ + private boolean strictSignatureValueParsing = true; + /** * A <code>List</code> of <code>HardwareCryptoModule</code> objects for * configuring hardware modules. @@ -258,12 +261,12 @@ public class ConfigurationProvider { */ private Map crlRetentionIntervals; - + private boolean useShortTimeCertificateEtisExt; private int defaultShortTimeCertificatePeriod; private Map<String, Integer> shortTimeCertificatePeriods; - - + + /** * Indicates wether external URIs are allowed or not */ @@ -384,13 +387,15 @@ public class ConfigurationProvider { allKeyModules.addAll(softwareKeyModules); keyGroups = builder.buildKeyGroups(allKeyModules); keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); - + this.connectionTimeout = builder.getConnectionTimeout(); Logger.debug("Set 'Connection-Timeout' to " + String.valueOf(this.connectionTimeout) + "[ms]"); - + this.readTimeout = builder.getReadTimeout(); Logger.debug("Set 'Read-Timeout' to " + String.valueOf(this.readTimeout) + "[ms]"); - + + strictSignatureValueParsing = builder.isStrictSignatureValueParsingEnabled(); + pdfAsConfiguration = builder.getPDFASConfiguration(); adesFormResults = builder.getAdesFormResult(); xadesVersion = builder.getXAdESVersion(); @@ -425,7 +430,7 @@ public class ConfigurationProvider { shortTimeCertificatePeriods = builder.getShotTimeCertIntervals(); defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval(); useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck(); - + allowExternalUris_ = builder.allowExternalUris(); if (allowExternalUris_) { @@ -681,7 +686,7 @@ public class ConfigurationProvider { // Entry thisEntry = (Entry) entries.next(); // System.out.println("Entry: " + thisEntry.getKey()); // System.out.println("Value: " + thisEntry.getValue()); -// } +// } mapping = (Map) keyGroupMappings.get(issuerAndSerial); if (mapping != null) { @@ -972,6 +977,19 @@ public class ConfigurationProvider { } /** + * Activates / deactivates strict parsing of ASN.1 encoded signature values. + * + * <p> + * <b>Default:</b> true + * </p> + * + * @return <code>true</code> if enabled, otherwise <code>false</code> + */ + public boolean isStrictSignatureValueParsing() { + return strictSignatureValueParsing; + } + + /** * Returns whether the certificate extension Authority Info Access should be * used during certificate path construction. * @@ -1008,7 +1026,7 @@ public class ConfigurationProvider { public TSLConfiguration getTSLConfiguration() { return tslconfiguration_; } - + public int getDefaultShortTimeCertificatePeriod() { return defaultShortTimeCertificatePeriod; } @@ -1021,20 +1039,20 @@ public class ConfigurationProvider { return shortTimeCertificatePeriods; } - - + + public static final String normalizeX500Names(String x500Name) { try { final RFC2253NameParser parser = new RFC2253NameParser(x500Name); final Name name = parser.parse(); return name.getRFC2253String(); - + } catch (final RFC2253NameParserException e) { Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is"); return x500Name; - + } - + } - + }
\ No newline at end of file diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 9ba731d..d8d99bd 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -47,6 +47,7 @@ import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import at.gv.egovernment.moaspss.util.Constants; import at.gv.egovernment.moaspss.util.DOMUtils; +import iaik.asn1.INTEGER; import iaik.asn1.ObjectID; import iaik.pkcs.pkcs12.PKCS12KeyStore; import iaik.server.ConfigurationData; @@ -61,12 +62,12 @@ import iaik.utils.RFC2253NameParser; public class SystemInitializer { private static final org.slf4j.Logger logger = LoggerFactory.getLogger(SystemInitializer.class); - + /** * 15 min TSL reload scheduler interval. */ private static final long TSL_SCHEDULE_INTERVAL = 5*60*1000; - + /** Interval between archive cleanups in seconds */ private static final long ARCHIVE_CLEANUP_INTERVAL = 60 * 60; // 1h @@ -115,10 +116,10 @@ public class SystemInitializer { RFC2253NameParser.register( "organizationIdentifier", new ObjectID("2.5.4.97", "organizationIdentifier", (String) null, false)); - + // initialize configuration initializeMoaSigConfiguraion(); - + // start the archive cleanup thread Thread archiveCleaner = new Thread(new RevocationArchiveCleaner(ARCHIVE_CLEANUP_INTERVAL)); @@ -149,9 +150,9 @@ public class SystemInitializer { private static void initializeMoaSigConfiguraion() { final MessageProvider msg = MessageProvider.getInstance(); - + try { - + Logger.info("Initialize MOA-SP/SS configuration ... "); config = ConfigurationProvider.getInstance(); @@ -177,12 +178,17 @@ public class SystemInitializer { iaikConfiguration = IaikConfigurator.configure(config); runInitializer(config); - - // set Fallback mode in IAIK KeyStore implementation to 'true' to fix problems default behavior of JVM + + // set Fallback mode in IAIK KeyStore implementation to 'true' to fix problems default behavior of JVM PKCS12KeyStore.setUseJKSFallBack(true); - Logger.info("Set fallback mode in: " + PKCS12KeyStore.class.getSimpleName() + Logger.info("Set fallback mode in: " + PKCS12KeyStore.class.getSimpleName() + " to :" + PKCS12KeyStore.getUseJKSFallBack()); - + + INTEGER.checkForMinumumLengthEncoding(config.isStrictSignatureValueParsing()); + Logger.info(config.isStrictSignatureValueParsing() ? "Enable" + : "Disable" + + " strict parsing of ASN.1 encoded signature values"); + Logger.info(new LogMsg(msg.getMessage("init.01", null))); } catch (final MOAException e) { @@ -193,9 +199,9 @@ public class SystemInitializer { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); throw new RuntimeException(e); - } + } } - + private static void loadXsdSchemaIntoXmlParser() { // parsing/validating try { @@ -221,10 +227,10 @@ public class SystemInitializer { } } catch (final IOException e) { Logger.warn(new LogMsg(MessageProvider.getInstance().getMessage("init.04", null)), e); - - } + + } } - + private static void initTSLUpdateTask(TSLConfiguration tslconfig) { final MessageProvider msg = MessageProvider.getInstance(); if (tslconfig != null) { @@ -254,14 +260,14 @@ public class SystemInitializer { if (start.before(now)) { start = new Date(start.getTime() + 86400000); } - + Logger.debug(new LogMsg(msg.getMessage("config.46", new String[] { start.toString(), "" + period }))); // start TSL updater task final Timer timer = new Timer("TSL_DB_Updater"); - timer.schedule(new TSLUpdaterTimerTask(start, period), + timer.schedule(new TSLUpdaterTimerTask(start, period), new Date(now.getTime() + TSL_SCHEDULE_INTERVAL), TSL_SCHEDULE_INTERVAL); - + } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index e18f957..1a0791b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -343,8 +343,6 @@ public class CMSSignatureVerificationInvoker { PDFSignatureVerificationResult cmsResult = null; List adesResults = null; boolean extendedVerification = false; - final Boolean coversFullDoc = null; - final int[] sigByteRange = null; ExtendedCertificateCheckResult extCheckResult = null; if (resultObject instanceof ExtendedPDFSignatureVerificationResult) { |