diff options
9 files changed, 247 insertions, 65 deletions
diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd index d9cecf1..57c2e1d 100644 --- a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd +++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.2.0.xsd @@ -98,6 +98,7 @@ </xs:sequence> <xs:element name="DigestMethodAlgorithm" minOccurs="0"/> </xs:sequence> + <xs:attribute name="RSASSA-PSS" type="xs:boolean"/> </xs:complexType> </xs:element> <xs:element name="KeyGroupMapping" maxOccurs="unbounded"> @@ -131,6 +132,11 @@ </xs:sequence> </xs:complexType> </xs:element> + <xs:element name="Signing" minOccurs="0"> + <xs:complexType> + <xs:attribute name="RSASSA-PSS" type="xs:boolean" default="true"/> + </xs:complexType> + </xs:element> </xs:sequence> </xs:complexType> </xs:element> diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 75da0a6..ff2f9a5 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -154,6 +154,11 @@ public class ConfigurationPartsBuilder { private static final String KEYGROUP_MAPPING_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "KeyGroupMapping"; + + private static final String SIGN_PARAMS_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "Signing"; + private static final String ISSUER_XPATH = DSIG + "X509IssuerName"; private static final String SERIAL_XPATH = @@ -759,9 +764,22 @@ public class ConfigurationPartsBuilder { final String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); - final Set keyGroupEntries = - buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); + final Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); + + String rsaSsaPssAttr = keyGroupElem.getAttribute("RSASSA-PSS"); + Boolean useRsaSsaPss = null; + if (org.apache.commons.lang3.StringUtils.isNotEmpty(rsaSsaPssAttr)) { + useRsaSsaPss = Boolean.valueOf(keyGroupElem.getAttribute("RSASSA-PSS")); + Logger.info((useRsaSsaPss ? "Enable" : "Disable") + + " RSASSA-PSS as primary signature-algorithm for keyGroup: " + keyGroupId); + + } else { + Logger.debug("RSASSA-PSS is not defined for keyGroup: " + keyGroupId); + + } + + final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, + keyGroupDigestMethodAlgorithm, useRsaSsaPss); if (keyGroups.containsKey(keyGroupId)) { warn("config.04", new Object[] { "KeyGroup", keyGroupId }); @@ -1770,6 +1788,33 @@ public class ConfigurationPartsBuilder { return map; } + /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * <p> + * <b>Default: </b> <code>true</code> + * </p> + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isRsaSsaPssEnabled() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SIGN_PARAMS_XPATH); + + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("RSASSA-PSS")); + Logger.debug((value ? "Enable" : "Disable") + " RSASSA-PSS as primary signature-algorithm for RSA"); + return value; + + } else { + Logger.debug("Enable RSASSA-PSS as primary signature-algorithm for RSA"); + return true; + + } + } /** * Should ETSI extension should be used for short-time certificate validation. @@ -1792,6 +1837,7 @@ public class ConfigurationPartsBuilder { return SHORT_TIME_CERT_DEFAULT_ETSI; } + /** * Get default shortTime certificate interval. * diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 3c720a1..6856e56 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -103,6 +103,9 @@ public class ConfigurationProvider { /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; + /** The default of use RSASSA-PSS if supported */ + private boolean useRsaSsaPss; + /** The XAdES version used for signature creation */ private String xadesVersion; @@ -375,6 +378,8 @@ public class ConfigurationProvider { // check TSL configuration checkTSLConfiguration(); + useRsaSsaPss = builder.isRsaSsaPssEnabled(); + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -556,6 +561,15 @@ public class ConfigurationProvider { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isUseRsaSsaPss() { + return useRsaSsaPss; + } + + /** * Return the XAdES version used for signature creation. * * @return The XAdES version used for signature creation, or an empty diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index faeaf82..fc374ab 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -42,6 +42,9 @@ public class KeyGroup { /** The digest method algorithm for the key group */ private final String digestMethodAlgorithm; + /** Use RSASSA-PSS if supported */ + private final Boolean useRsaSsaPss; + /** * Create a <code>KeyGroup</code>. * @@ -51,9 +54,25 @@ public class KeyGroup { * @param digestMethodAlgorithm The signature algorithm used for this key group */ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { + this(id, keyGroupEntries, digestMethodAlgorithm, true); + + } + + /** + * Create a <code>KeyGroup</code>. + * + * @param id The ID of this <code>KeyGroup</code>. + * @param keyGroupEntries The keys belonging to this + * <code>KeyGroup</code>. + * @param useRsaSsaPss Use RSASSA-PSS if available and supported + * @param digestMethodAlgorithm The signature algorithm used for this key group + */ + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm, Boolean useRsaSsaPss) { this.id = id; this.keyGroupEntries = keyGroupEntries; this.digestMethodAlgorithm = digestMethodAlgorithm; + this.useRsaSsaPss = useRsaSsaPss; + } /** @@ -84,6 +103,17 @@ public class KeyGroup { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, <code>false</code> if + * it is disabled, or <code>null</code> if it is undefined + */ + public Boolean isUseRsaSsaPass() { + return useRsaSsaPss; + + } + + /** * Return a <code>String</code> representation of this <code>KeyGroup</code>. * * @return The <code>String</code> representation. @@ -102,7 +132,7 @@ public class KeyGroup { } } return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " - + digestMethodAlgorithm; + + digestMethodAlgorithm + useRsaSsaPss != null ? ("RSASSA-PSS: " + useRsaSsaPss) : ""; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java index d660c7a..b43ec2f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.cmssign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -63,6 +65,20 @@ public class CMSSignatureCreationProfileImpl /** Digest Method algorithm */ private String digestMethod; private final boolean isPAdESConform; + private final boolean rsaSsaPss; + + public CMSSignatureCreationProfileImpl( + Set keySet, + String digestMethod, + List signedProperties, + boolean securityLayerConform, + boolean includeData, + String mimeType, + boolean isPAdESConform) { + this(keySet, digestMethod, signedProperties, securityLayerConform, includeData, mimeType, + isPAdESConform, true); + + } /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. @@ -80,7 +96,8 @@ public class CMSSignatureCreationProfileImpl boolean securityLayerConform, boolean includeData, String mimeType, - boolean isPAdESConform) { + boolean isPAdESConform, + boolean rsaSsaPss) { this.keySet = keySet; this.signedProperties = signedProperties; this.securityLayerConform = securityLayerConform; @@ -88,6 +105,7 @@ public class CMSSignatureCreationProfileImpl this.mimeType = mimeType; this.digestMethod = digestMethod; this.isPAdESConform = isPAdESConform; + this.rsaSsaPss = rsaSsaPss; } @@ -131,11 +149,70 @@ public class CMSSignatureCreationProfileImpl null); } + final String selectedSigAlg = selectBestSigAlg(algorithms, selectedKeyID); + Logger.trace("Selecting SigAlg: " + selectedSigAlg); + return selectedSigAlg; + + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + @Override + public List getSignedProperties() { + return signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + @Override + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature is to + * be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + public void setDigestMethod(String digestMethod) { + this.digestMethod = digestMethod; + } + + @Override + public String getMimeType() { + return mimeType; + } + + @Override + public boolean includeData() { + return this.includeData; + } + + @Override + public boolean isPAdESConform() { + return this.isPAdESConform; + } + + private String selectBestSigAlg(Set algorithms, KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + Logger.trace("Key: " + selectedKeyID + " supports signingAlgs: " + StringUtils.join(algorithms, ",")); + + // TODO: maybe add support for parameterized RSASSA-PSS + if (digestMethod.compareTo("SHA-1") == 0) { Logger.warn( "SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); - if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { @@ -152,7 +229,11 @@ public class CMSSignatureCreationProfileImpl } } else if (digestMethod.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -168,7 +249,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -184,7 +268,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { @@ -205,52 +292,6 @@ public class CMSSignatureCreationProfileImpl null, null); } - - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() - */ - @Override - public List getSignedProperties() { - return signedProperties; - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() - */ - @Override - public boolean isSecurityLayerConform() { - return securityLayerConform; - } - - /** - * Sets the security layer conformity. - * - * @param securityLayerConform <code>true</code>, if the created signature is to - * be conform to the Security Layer specification. - */ - public void setSecurityLayerConform(boolean securityLayerConform) { - this.securityLayerConform = securityLayerConform; - } - - public void setDigestMethod(String digestMethod) { - this.digestMethod = digestMethod; - } - - @Override - public String getMimeType() { - return mimeType; - } - - @Override - public boolean includeData() { - return this.includeData; - } - - @Override - public boolean isPAdESConform() { - return this.isPAdESConform; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 516e3d8..76814a4 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -76,6 +76,7 @@ public class XMLSignatureCreationProfileImpl private final IdGenerator propertyIDGenerator; /** The selected digest method algorithm if XAdES 1.4.2 is used */ private final String digestMethodXAdES142; + private final boolean rsaSsaPss; /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. @@ -85,11 +86,12 @@ public class XMLSignatureCreationProfileImpl * same request. * @param reservedIDs The set of IDs that must not be used while * generating new IDs. + * @param useRsaSsaPss Use RSASSA-PSS if supported */ public XMLSignatureCreationProfileImpl( int createProfileCount, Set reservedIDs, - String digestMethodXAdES142) { + String digestMethodXAdES142, boolean useRsaSsaPss) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -99,6 +101,8 @@ public class XMLSignatureCreationProfileImpl propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); this.digestMethodXAdES142 = digestMethodXAdES142; + this.rsaSsaPss = useRsaSsaPss; + } /** @@ -175,16 +179,25 @@ public class XMLSignatureCreationProfileImpl null); } + // TODO: maybe add support for parameterized RSASSA-PSS + if (digestMethodXAdES142 == null) { // XAdES 1.4.2 not enabled - legacy MOA - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { - return SignatureAlgorithms.SHA1_WITH_RSA; + return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { return SignatureAlgorithms.ECDSA; } else if (algorithms.contains(SignatureAlgorithms.DSA)) { @@ -219,7 +232,10 @@ public class XMLSignatureCreationProfileImpl } } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -235,7 +251,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -251,7 +270,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java index 5624f45..4ae1866 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -221,6 +221,7 @@ public class CMSSignatureCreationInvoker { // get digest algorithm final String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + final boolean useRsaSsaPss = isRsaSsaPssActive(config, keyGroupID); // create CMSSignatureCreation profile: final CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( @@ -230,7 +231,8 @@ public class CMSSignatureCreationInvoker { isSecurityLayerConform, includeData, mimetype, - isPAdESConformRequired); + isPAdESConformRequired, + useRsaSsaPss); // create CMSSignature from the CMSSignatureCreationModule // build the additionalSignedProperties @@ -344,13 +346,23 @@ public class CMSSignatureCreationInvoker { } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { // get digest method on key group level (if configured) final String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) final String configDigestMethod = config.getDigestMethodAlgorithmName(); + String digestMethod = null; if (configDigestMethodKG != null) { // if KG specific digest method is configured diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index c097b0c..7585ac7 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -191,8 +191,10 @@ public class XMLSignatureCreationProfileFactory { } } + final XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142, + isRsaSsaPssActive(config, keyGroupID)); // build the transformation supplements createTransformsProfiles = @@ -260,6 +262,14 @@ public class XMLSignatureCreationProfileFactory { return profile; } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + /** * Get the <code>List</code> of all <code>CreateTransformsInfoProfile</code>s * contained in all the <code>DataObjectInfo</code>s of the given diff --git a/release-infos/handbook/conf/moa-spss/spss.config.xml b/release-infos/handbook/conf/moa-spss/spss.config.xml index e1d61a6..ce7f2bd 100644 --- a/release-infos/handbook/conf/moa-spss/spss.config.xml +++ b/release-infos/handbook/conf/moa-spss/spss.config.xml @@ -61,7 +61,7 @@ </cfg:KeyCertIssuerSerial> </cfg:Key> </cfg:KeyGroup> - <cfg:KeyGroup> + <cfg:KeyGroup RSASSA-PSS="true"> <cfg:Id>KG_allgemein</cfg:Id> <cfg:Key> <cfg:KeyModuleId>SKM_allgemein</cfg:KeyModuleId> @@ -95,6 +95,7 @@ <cfg:XAdES> <cfg:Version>1.4.2</cfg:Version> </cfg:XAdES> + <cfg:Signing RSASSA-PSS="true" /> </cfg:SignatureCreation> <cfg:SignatureVerification> <cfg:CertificateValidation> |