diff options
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik')
5 files changed, 152 insertions, 73 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java index d660c7a..e5b6025 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.cmssign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -63,15 +65,36 @@ public class CMSSignatureCreationProfileImpl /** Digest Method algorithm */ private String digestMethod; private final boolean isPAdESConform; + private final boolean rsaSsaPss; + + public CMSSignatureCreationProfileImpl( + Set keySet, + String digestMethod, + List signedProperties, + boolean securityLayerConform, + boolean includeData, + String mimeType, + boolean isPAdESConform) { + this(keySet, digestMethod, signedProperties, securityLayerConform, includeData, mimeType, + isPAdESConform, true); + + } /** - * Create a new <code>XMLSignatureCreationProfileImpl</code>. + * Creates a CMS based signature-creation profile. * - * @param createProfileCount Provides external information about the number of - * calls to the signature creation module, using the - * same request. - * @param reservedIDs The set of IDs that must not be used while - * generating new IDs. + * @param keySet Set of signing keys + * @param digestMethod Hash algorithm + * @param signedProperties List of signing properties + * @param securityLayerConform If <code>true</code> create a CAdES-B signature, + * otherwise CMS signature + * @param includeData If <code>true</code> create an embedded + * signature, otherwise a detached + * @param mimeType MimeType to be set + * @param isPAdESConform If <code>true</code> signature fulfill PAdES + * requirements + * @param rsaSsaPss If <code>true</code> use RSASSA-PSS algorithms, + * otherwise RSA#1.5 */ public CMSSignatureCreationProfileImpl( Set keySet, @@ -80,7 +103,8 @@ public class CMSSignatureCreationProfileImpl boolean securityLayerConform, boolean includeData, String mimeType, - boolean isPAdESConform) { + boolean isPAdESConform, + boolean rsaSsaPss) { this.keySet = keySet; this.signedProperties = signedProperties; this.securityLayerConform = securityLayerConform; @@ -88,6 +112,7 @@ public class CMSSignatureCreationProfileImpl this.mimeType = mimeType; this.digestMethod = digestMethod; this.isPAdESConform = isPAdESConform; + this.rsaSsaPss = rsaSsaPss; } @@ -131,11 +156,70 @@ public class CMSSignatureCreationProfileImpl null); } + final String selectedSigAlg = selectBestSigAlg(algorithms, selectedKeyID); + Logger.trace("Selecting SigAlg: " + selectedSigAlg); + return selectedSigAlg; + + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + @Override + public List getSignedProperties() { + return signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + @Override + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature is to + * be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + public void setDigestMethod(String digestMethod) { + this.digestMethod = digestMethod; + } + + @Override + public String getMimeType() { + return mimeType; + } + + @Override + public boolean includeData() { + return this.includeData; + } + + @Override + public boolean isPAdESConform() { + return this.isPAdESConform; + } + + private String selectBestSigAlg(Set algorithms, KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + Logger.trace("Key: " + selectedKeyID + " supports signingAlgs: " + StringUtils.join(algorithms, ",")); + + // TODO: maybe add support for parameterized RSASSA-PSS + if (digestMethod.compareTo("SHA-1") == 0) { Logger.warn( "SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); - if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { @@ -152,7 +236,11 @@ public class CMSSignatureCreationProfileImpl } } else if (digestMethod.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -168,7 +256,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -184,7 +275,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { @@ -205,52 +299,6 @@ public class CMSSignatureCreationProfileImpl null, null); } - - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() - */ - @Override - public List getSignedProperties() { - return signedProperties; - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() - */ - @Override - public boolean isSecurityLayerConform() { - return securityLayerConform; - } - - /** - * Sets the security layer conformity. - * - * @param securityLayerConform <code>true</code>, if the created signature is to - * be conform to the Security Layer specification. - */ - public void setSecurityLayerConform(boolean securityLayerConform) { - this.securityLayerConform = securityLayerConform; - } - - public void setDigestMethod(String digestMethod) { - this.digestMethod = digestMethod; - } - - @Override - public String getMimeType() { - return mimeType; - } - - @Override - public boolean includeData() { - return this.includeData; - } - - @Override - public boolean isPAdESConform() { - return this.isPAdESConform; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java index d1b776b..befeab7 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java @@ -43,7 +43,6 @@ import iaik.pki.store.revocation.RevocationStoreException; * A customized implementation of * {@link iaik.pki.store.revocation.RevocationInfoRetriever}. Will be used * instead of the default implementation - * {@link iaik.pki.store.revocation.CRLRetriever} to overcome a classloader * problem in connection with the {@link java.net.URL} class in a Tomcat * deployment environment. * diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java index 22cceeb..0e12f89 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java @@ -28,7 +28,6 @@ import iaik.pki.store.revocation.archive.DataBaseArchiveParameters; /** * An implementation of the <code>DataBaseArchiveParameter</code> interface. * - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter * @author Patrick Peck * @version $Id$ */ @@ -46,9 +45,6 @@ public class DataBaseArchiveParameterImpl implements DataBaseArchiveParameters { this.jDBCUrl = jDBCUrl; } - /** - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter#getJDBCUrl() - */ @Override public String getJDBCUrl() { return jDBCUrl; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java index 9ef3764..7a036ec 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java @@ -60,10 +60,9 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { /** * Create a new <code>TrustStoreProfileImpl</code>. * - * @param config The MOA configuration data, from which trust store - * configuration data is read. - * @param trustProfileId The trust profile id on which this - * <code>TrustStoreProfile</code> is based. + * @param trustProfileId The trust profile id on which this + * <code>TrustStoreProfile</code> is based. + * @param trustProfileUri File path to trust profile * @throws MOAApplicationException The <code>trustProfileId</code> could not be * found in the MOA configuration. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 516e3d8..b0fea7f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -76,6 +78,7 @@ public class XMLSignatureCreationProfileImpl private final IdGenerator propertyIDGenerator; /** The selected digest method algorithm if XAdES 1.4.2 is used */ private final String digestMethodXAdES142; + private final boolean rsaSsaPss; /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. @@ -85,11 +88,12 @@ public class XMLSignatureCreationProfileImpl * same request. * @param reservedIDs The set of IDs that must not be used while * generating new IDs. + * @param useRsaSsaPss Use RSASSA-PSS if supported */ public XMLSignatureCreationProfileImpl( int createProfileCount, Set reservedIDs, - String digestMethodXAdES142) { + String digestMethodXAdES142, boolean useRsaSsaPss) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -99,6 +103,8 @@ public class XMLSignatureCreationProfileImpl propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); this.digestMethodXAdES142 = digestMethodXAdES142; + this.rsaSsaPss = useRsaSsaPss; + } /** @@ -159,6 +165,14 @@ public class XMLSignatureCreationProfileImpl @Override public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + String sigAlgIdentifier = getInternalSignatureAlgorithmName(selectedKeyID); + Logger.debug("Selected SignatureAlgorithmIdentifier: " + sigAlgIdentifier); + return sigAlgIdentifier; + + } + + private String getInternalSignatureAlgorithmName(KeyEntryID selectedKeyID) + throws AlgorithmUnavailableException { final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); @@ -174,21 +188,35 @@ public class XMLSignatureCreationProfileImpl e, null); } + Logger.trace("RSASSA-PSS: " + rsaSsaPss + " XAdESDigistAlg: " + digestMethodXAdES142 + + " Algorithms: " + StringUtils.join(algorithms, ",")); + // TODO: maybe add support for parameterized RSASSA-PSS if (digestMethodXAdES142 == null) { // XAdES 1.4.2 not enabled - legacy MOA - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + if (rsaSsaPss + && (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1))) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + + return SignatureAlgorithms.SHA256_WITH_RSA; - return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { return SignatureAlgorithms.ECDSA; + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { return SignatureAlgorithms.DSA; + } else { throw new AlgorithmUnavailableException( "No algorithm for key entry: " + selectedKeyID, @@ -219,7 +247,10 @@ public class XMLSignatureCreationProfileImpl } } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -235,7 +266,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -251,7 +285,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { |