diff options
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign')
3 files changed, 642 insertions, 0 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/DataObjectTreatmentImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/DataObjectTreatmentImpl.java new file mode 100644 index 0000000..310f2dd --- /dev/null +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/DataObjectTreatmentImpl.java @@ -0,0 +1,174 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.iaik.xmlsign; + +import java.util.List; + +import iaik.server.modules.xmlsign.DataObjectTreatment; + +import at.gv.egovernment.moa.spss.server.util.IdGenerator; + +/** + * An object encapsulating how to treat an associated <code>DataObject</code> + * when creating a signature. + * + * @author Patrick Peck + * @version $Id$ + */ +public class DataObjectTreatmentImpl implements DataObjectTreatment { + /** The final content MIME type. */ + private String finalContentType; + /** The name of the hash algorithm. */ + private String hashAlgorithmName; + /** This transformations to apply to the associated data object. */ + private List transformationList; + /** Supplemental information for the transformations. */ + private List transformationSupplements; + /** Whether to include the associated data object in the signature. */ + private boolean includedInSignature; + /** Whether to include the associated data object in the manifest. */ + private boolean referenceInManifest; + /** The object ID generator. */ + private IdGenerator objIdGen; + + /** + * Create a new <code>DataObjectTreatmentImpl</code>. + * + * @param objIdGen The <code>IdGenerator</code> for unique object IDs. + */ + public DataObjectTreatmentImpl(IdGenerator objIdGen) { + this.objIdGen = objIdGen; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#getFinalContentType() + */ + public String getFinalContentType() { + return finalContentType; + } + + /** + * Sets the final content type. + * + * @param finalContentType The final content type to set (a MIME-type type of + * <code>String</code>). + */ + public void setFinalContentType(String finalContentType) { + this.finalContentType = finalContentType; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#getHashAlgorithmName() + */ + public String getHashAlgorithmName() { + return hashAlgorithmName; + } + + /** + * Sets the hash algorithm name. + * + * @param hashAlgorithmName The hash algorithm name to set. + */ + public void setHashAlgorithmName(String hashAlgorithmName) { + this.hashAlgorithmName = hashAlgorithmName; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#isIncludedInSignature() + */ + public boolean isIncludedInSignature() { + return includedInSignature; + } + + /** + * Sets whether the associated <code>DataObject</code> is to be included in + * the signature. + * + * @param includedInSignature If <code>true</code>, the associated + * <code>DataObject</code> will be included in the signature, otherwise not. + */ + public void setIncludedInSignature(boolean includedInSignature) { + this.includedInSignature = includedInSignature; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#isReferenceInManifest() + */ + public boolean isReferenceInManifest() { + return referenceInManifest; + } + + /** + * Sets whether the associated <code>DataObject</code> is + * to be included in the <code>dsig:Manifest</code>. + * + * @param referenceInManifest If <code>true</code>, the associated + * <code>DataObject</code> will be included in the manifest, otherwise not. + */ + public void setReferenceInManifest(boolean referenceInManifest) { + this.referenceInManifest = referenceInManifest; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#getTransformationList() + */ + public List getTransformationList() { + return transformationList; + } + + /** + * Set the list of transformations for the associated <code>DataObject</code>. + * + * @param transformationList The transformations to set. + */ + public void setTransformationList(List transformationList) { + this.transformationList = transformationList; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#getTransformationSupplements() + */ + public List getTransformationSupplements() { + return transformationSupplements; + } + + /** + * Sets the transformation supplements for the associated + * <code>DataObject</code>. + * + * @param transformationSupplements The transformation supplements to set. + */ + public void setTransformationSupplements(List transformationSupplements) { + this.transformationSupplements = transformationSupplements; + } + + /** + * @see iaik.server.modules.xmlsign.DataObjectTreatment#getDsigDataObjectID() + */ + public String getDsigDataObjectID() { + return objIdGen.uniqueId(); + } + +} diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java new file mode 100644 index 0000000..7d0c5a0 --- /dev/null +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -0,0 +1,399 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.iaik.xmlsign; + +import iaik.server.modules.algorithms.SignatureAlgorithms; +import iaik.server.modules.keys.AlgorithmUnavailableException; +import iaik.server.modules.keys.KeyEntryID; +import iaik.server.modules.keys.KeyModule; +import iaik.server.modules.keys.KeyModuleFactory; +import iaik.server.modules.keys.UnknownKeyException; +import iaik.server.modules.xml.Canonicalization; +import iaik.server.modules.xmlsign.XMLSignatureCreationProfile; +import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation; + +import java.util.List; +import java.util.Set; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.spss.server.logging.TransactionId; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; +import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; +import at.gv.egovernment.moa.spss.server.util.IdGenerator; + +/** + * An object providing auxiliary information for creating an XML signature. + * + * @author Patrick Peck + * @version $Id$ + */ +public class XMLSignatureCreationProfileImpl + implements XMLSignatureCreationProfile { + + /** The transformations to apply to a data object. */ + private List dataObjectTreatmentList; + /** The set of keys available to the signing process. */ + private Set keySet; + /** The type URI of the signature manifest. */ + private String securityLayerManifestTypeURI; + /** Whether the created signature is to be Security Layer conform. */ + private boolean securityLayerConform; + /** Where to insert the signature into the signature environment. */ + private XMLSignatureInsertionLocation signatureInsertionLocation; + /** The signature structur type. */ + private String signatureStructureType; + /** The type of <code>Canonicalization</code> to use for the signed info. */ + private Canonicalization signedInfoCanonicalization; + /** Properties to be signed during signature creation. */ + private List signedProperties; + /** The ID generator for signature IDs. */ + private IdGenerator signatureIDGenerator; + /** The ID generator for manifst IDs. */ + private IdGenerator manifestIDGenerator; + /** The ID generator for XMLDsig manifest IDs. */ + private IdGenerator dsigManifestIDGenerator; + /** The ID generator for signed property IDs. */ + private IdGenerator propertyIDGenerator; + /** The selected digest method algorithm if XAdES 1.4.2 is used */ + private String digestMethodXAdES142; + + + /** + * Create a new <code>XMLSignatureCreationProfileImpl</code>. + * + * @param createProfileCount Provides external information about the + * number of calls to the signature creation module, using the same request. + * @param reservedIDs The set of IDs that must not be used while generating + * new IDs. + */ + public XMLSignatureCreationProfileImpl( + int createProfileCount, + Set reservedIDs, + String digestMethodXAdES142) { + signatureIDGenerator = + new IdGenerator("signature-" + createProfileCount, reservedIDs); + manifestIDGenerator = + new IdGenerator("manifest-" + createProfileCount, reservedIDs); + dsigManifestIDGenerator = + new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs); + propertyIDGenerator = + new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); + this.digestMethodXAdES142 = digestMethodXAdES142; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getDataObjectTreatmentList() + */ + public List getDataObjectTreatmentList() { + return dataObjectTreatmentList; + } + + /** + * Sets the list of <code>DataObjectTreatment</code>s. + * + * @param dataObjectTreatmentList The <code>DataObjectTreatment</code>s to + * set. + */ + public void setDataObjectTreatmentList(List dataObjectTreatmentList) { + this.dataObjectTreatmentList = dataObjectTreatmentList; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getKeySet() + */ + public Set getKeySet() { + return keySet; + } + + /** + * Set the set of <code>KeyEntryID</code>s which may be used for signature + * creation. + * + * @param keySet The set of <code>KeyEntryID</code>s to set. + */ + public void setKeySet(Set keySet) { + this.keySet = keySet; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSecurityLayerManifestTypeURI() + */ + public String getSecurityLayerManifestTypeURI() { + return securityLayerManifestTypeURI; + } + + /** + * Set the SecurityLayerManifestTypeURI. + * + * @param securityLayerManifestTypeURI The SecurityLayerManifestTypeURI to + * set. + */ + public void setSecurityLayerManifestTypeURI(String securityLayerManifestTypeURI) { + this.securityLayerManifestTypeURI = securityLayerManifestTypeURI; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureAlgorithmName(KeyEntryID) + */ + public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) + throws AlgorithmUnavailableException { + + TransactionContext context = + TransactionContextManager.getInstance().getTransactionContext(); + TransactionId tid = new TransactionId(context.getTransactionID()); + KeyModule module = KeyModuleFactory.getInstance(tid); + Set algorithms; + + try { + algorithms = module.getSupportedSignatureAlgorithms(selectedKeyID); + } catch (UnknownKeyException e) { + throw new AlgorithmUnavailableException( + "Unknown key entry: " + selectedKeyID, + e, + null); + } + + if (digestMethodXAdES142 == null) { + // XAdES 1.4.2 not enabled - legacy MOA + if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + + return SignatureAlgorithms.SHA1_WITH_RSA; + } else if ( + algorithms.contains(SignatureAlgorithms.ECDSA)) { + return SignatureAlgorithms.ECDSA; + } else if ( + algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + // XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method + if (digestMethodXAdES142.compareTo("SHA-1") == 0) { + Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); + + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + return SignatureAlgorithms.SHA1_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { + return SignatureAlgorithms.ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + + } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + return SignatureAlgorithms.SHA256_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { + return SignatureAlgorithms.SHA256_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + return SignatureAlgorithms.SHA384_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { + return SignatureAlgorithms.SHA384_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { + if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + return SignatureAlgorithms.SHA512_WITH_RSA; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { + return SignatureAlgorithms.SHA512_WITH_ECDSA; + + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { + return SignatureAlgorithms.DSA; + + } else { + throw new AlgorithmUnavailableException( + "No algorithm for key entry: " + selectedKeyID, + null, + null); + } + } + else { + throw new AlgorithmUnavailableException( + "No signature algorithm found for digest algorithm '" + digestMethodXAdES142, + null, + null); + } + + } + + + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureInsertionLocation() + */ + public XMLSignatureInsertionLocation getSignatureInsertionLocation() { + return signatureInsertionLocation; + } + + /** + * Set the location where the signature is to be inserted into the signature + * parent. + * + * @param signatureInsertionLocation The location to set. + */ + public void setSignatureInsertionLocation(XMLSignatureInsertionLocation signatureInsertionLocation) { + this.signatureInsertionLocation = signatureInsertionLocation; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureStructureType() + */ + public String getSignatureStructureType() { + return signatureStructureType; + } + + /** + * Set the signature structure type. + * @param signatureStructureType The signature structure type to set. + */ + public void setSignatureStructureType(String signatureStructureType) { + this.signatureStructureType = signatureStructureType; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedInfoCanonicalization() + */ + public Canonicalization getSignedInfoCanonicalization() { + return signedInfoCanonicalization; + } + + /** + * Sets the canonicalization method to use for the SignedInfo object. + * + * @param signedInfoCanonicalization The canonicalization method to set. + */ + public void setSignedInfoCanonicalization(Canonicalization signedInfoCanonicalization) { + this.signedInfoCanonicalization = signedInfoCanonicalization; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + public List getSignedProperties() { + return signedProperties; + } + + /** + * Set the signed properties. + * + * @param signedProperties The signed properties to set. + */ + public void setSignedProperties(List signedProperties) { + this.signedProperties = signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature + * is to be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureID() + */ + public String getSignatureID() { + return signatureIDGenerator.uniqueId(); + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSecurityLayerManifestID() + */ + public String getSecurityLayerManifestID() { + return manifestIDGenerator.uniqueId(); + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getDsigManifestID() + */ + public String getDsigManifestID() { + return dsigManifestIDGenerator.uniqueId(); + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedPropertiesID() + */ + public String getSignedPropertiesID() { + return propertyIDGenerator.uniqueId(); + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getPermitFileURIs() + */ + public boolean getPermitFileURIs() { + return false; + } + +} diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureInsertionLocationImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureInsertionLocationImpl.java new file mode 100644 index 0000000..90c1f49 --- /dev/null +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureInsertionLocationImpl.java @@ -0,0 +1,69 @@ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-SPSS has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.spss.server.iaik.xmlsign; + +import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation; + +/** + * An object giving the location of where the signature will be + * inserted into the parent element. + * + * @author Patrick Peck + * @version $Id$ + */ +public class XMLSignatureInsertionLocationImpl + implements XMLSignatureInsertionLocation { + + /** Where to put the signature into the signature parent element. */ + private int signatureChildIndex; + + /** + * Create a new <code>XMLSignatureInsertLocationImpl</code>. + * + * @param signatureChildIndex The position index at which to append the + * signature to the parent element. + */ + public XMLSignatureInsertionLocationImpl(int signatureChildIndex) { + setSignatureChildIndex(signatureChildIndex); + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureInsertionLocation#getSignatureChildIndex() + */ + public int getSignatureChildIndex() { + return signatureChildIndex; + } + + /** + * Sets the position index at which to append the signature to the parent + * element. + * + * @param signatureChildIndex The position index to set. + */ + public void setSignatureChildIndex(int signatureChildIndex) { + this.signatureChildIndex = signatureChildIndex; + } + +} |