diff options
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java')
| -rw-r--r-- | moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java | 546 |
1 files changed, 262 insertions, 284 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java index 8e9380e..2e7445e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -21,19 +21,8 @@ * that you distribute must include a readable copy of the "NOTICE" text file. */ - package at.gv.egovernment.moa.spss.server.invoke; -import iaik.server.modules.algorithms.HashAlgorithms; -import iaik.server.modules.cmssign.CMSSignature; -import iaik.server.modules.cmssign.CMSSignatureCreationException; -import iaik.server.modules.cmssign.CMSSignatureCreationModule; -import iaik.server.modules.cmssign.CMSSignatureCreationModuleFactory; -import iaik.server.modules.cmssign.CMSSignatureCreationProfile; -import iaik.server.modules.keys.KeyEntryID; -import iaik.server.modules.keys.KeyModule; -import iaik.server.modules.keys.KeyModuleFactory; - import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; @@ -76,38 +65,46 @@ import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moaspss.logging.LogMsg; import at.gv.egovernment.moaspss.logging.Logger; import at.gv.egovernment.moaspss.util.Constants; +import iaik.server.modules.algorithms.HashAlgorithms; +import iaik.server.modules.cmssign.CMSSignature; +import iaik.server.modules.cmssign.CMSSignatureCreationException; +import iaik.server.modules.cmssign.CMSSignatureCreationModule; +import iaik.server.modules.cmssign.CMSSignatureCreationModuleFactory; +import iaik.server.modules.cmssign.CMSSignatureCreationProfile; +import iaik.server.modules.keys.KeyEntryID; +import iaik.server.modules.keys.KeyModule; +import iaik.server.modules.keys.KeyModuleFactory; /** * A class providing an API based interface to the * <code>CMSSignatureCreationModule</code>. - * - * This class performs the invocation of the + * + * This class performs the invocation of the * <code>iaik.server.modules.cmssign.CMSSignatureCreationModule</code> from a * <code>CreateCMSSignatureRequest</code> given as an API object. The result of * the invocation is integrated into a <code>CreateCMSSignatureResponse</code> * and returned. - * + * * @version $Id$ */ public class CMSSignatureCreationInvoker { - - private static Map HASH_ALGORITHM_MAPPING; - - static { - HASH_ALGORITHM_MAPPING = new HashMap(); - HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); - HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); - HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); - HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512); - } - + + private static Map HASH_ALGORITHM_MAPPING; + + static { + HASH_ALGORITHM_MAPPING = new HashMap(); + HASH_ALGORITHM_MAPPING.put(Constants.SHA1_URI, HashAlgorithms.SHA1); + HASH_ALGORITHM_MAPPING.put(Constants.SHA256_URI, HashAlgorithms.SHA256); + HASH_ALGORITHM_MAPPING.put(Constants.SHA384_URI, HashAlgorithms.SHA384); + HASH_ALGORITHM_MAPPING.put(Constants.SHA512_URI, HashAlgorithms.SHA512); + } /** The single instance of this class. */ private static CMSSignatureCreationInvoker instance = null; /** * Get the only instance of this class. - * + * * @return The only instance of this class. */ public static synchronized CMSSignatureCreationInvoker getInstance() { @@ -119,290 +116,271 @@ public class CMSSignatureCreationInvoker { /** * Create a new <code>CMSSignatureCreationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected CMSSignatureCreationInvoker() { } - - /** * Process the <code>CreateCMSSignatureRequest<code> message and invoke the * <code>XMLSignatureCreationModule</code> for every * <code>SingleSignatureInfo</code> contained in the request. - * + * * @param request A <code>CreateCMSSignatureRequest<code> API object * containing the information for creating the signature(s). - * @param reserved A <code>Set</code> of reserved object IDs. - * - * @return A <code>CreateCMSSignatureResponse</code> API object containing - * the created signature(s). The response contains either a - * <code>SignatureEnvironment</code> or a <code>ErrorResponse</code> - * for each <code>SingleSignatureInfo</code> in the request. - * @throws MOAException An error occurred during signature creation. + * @param reserved A <code>Set</code> of reserved object IDs. + * + * @return A <code>CreateCMSSignatureResponse</code> API object containing the + * created signature(s). The response contains either a + * <code>SignatureEnvironment</code> or a <code>ErrorResponse</code> for + * each <code>SingleSignatureInfo</code> in the request. + * @throws MOAException An error occurred during signature creation. */ public CreateCMSSignatureResponse createCMSSignature( - CreateCMSSignatureRequest request, - Set reserved) - throws MOAException { + CreateCMSSignatureRequest request, + Set reserved) + throws MOAException { + + final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + // LoggingContext loggingCtx = + // LoggingContextManager.getInstance().getLoggingContext(); - TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); - //LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); + final CreateCMSSignatureResponseBuilder responseBuilder = new CreateCMSSignatureResponseBuilder(); + final CreateCMSSignatureResponse response = new CreateCMSSignatureResponseImpl(); - CreateCMSSignatureResponseBuilder responseBuilder = new CreateCMSSignatureResponseBuilder(); - CreateCMSSignatureResponse response = new CreateCMSSignatureResponseImpl(); + boolean isSecurityLayerConform = false; + boolean isPAdESConformRequired = false; + String structure = null; + String mimetype = null; - boolean isSecurityLayerConform = false; - String structure = null; - String mimetype = null; - - // select the SingleSignatureInfo elements - Iterator singleSignatureInfoIter = request.getSingleSignatureInfos().iterator(); + // select the SingleSignatureInfo elements + final Iterator singleSignatureInfoIter = request.getSingleSignatureInfos().iterator(); // iterate over all the SingleSignatureInfo elements in the request - while (singleSignatureInfoIter.hasNext()) { - SingleSignatureInfo singleSignatureInfo = (SingleSignatureInfo) singleSignatureInfoIter.next(); - isSecurityLayerConform = singleSignatureInfo.isSecurityLayerConform(); - - - DataObjectInfo dataObjectInfo = singleSignatureInfo.getDataObjectInfo(); - structure = dataObjectInfo.getStructure(); - - CMSDataObject dataobject = dataObjectInfo.getDataObject(); - MetaInfo metainfo = dataobject.getMetaInfo(); - mimetype = metainfo.getMimeType(); - - CMSContent content = dataobject.getContent(); - InputStream contentIs = null; - // build the content data - switch (content.getContentType()) { - case CMSContent.EXPLICIT_CONTENT : - contentIs = ((CMSContentExcplicit) content).getBinaryContent(); - break; - case CMSContent.REFERENCE_CONTENT : - String reference = ((CMSContentReference) content).getReference(); - if (!"".equals(reference)) { - ExternalURIResolver resolver = new ExternalURIResolver(); - contentIs = resolver.resolve(reference); - } else { - throw new MOAApplicationException("2301", null); - } - break; - default : { - throw new MOAApplicationException("2301", null); - } - } - - // create CMSSignatureCreationModuleFactory - CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance(); - - List signedProperties = null; - boolean includeData = true; - if (structure.compareTo("enveloping") == 0) - includeData = true; - if (structure.compareTo("detached") == 0) - includeData = false; - - ConfigurationProvider config = context.getConfiguration(); - - // get the key group id - String keyGroupID = request.getKeyIdentifier(); - // set the key set - Set keySet = buildKeySet(keyGroupID); - if (keySet == null) { - throw new MOAApplicationException("2231", null); - } else if (keySet.size() == 0) { - throw new MOAApplicationException("2232", null); - } - - // get digest algorithm - String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); - - // create CMSSignatureCreation profile: - CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( - keySet, - digestAlgorithm, - signedProperties, - isSecurityLayerConform, - includeData, - mimetype); - - // create CMSSignature from the CMSSignatureCreationModule - // build the additionalSignedProperties - List additionalSignedProperties = buildAdditionalSignedProperties(); - TransactionId tid = new TransactionId(context.getTransactionID()); - try { - CMSSignature signature = module.createSignature(profile, additionalSignedProperties, tid); - ByteArrayOutputStream out = new ByteArrayOutputStream(); - // get CMS SignedData output stream from the CMSSignature and wrap it around out - boolean base64 = true; - OutputStream signedDataStream = signature.getSignature(out, base64); - - // now write the data to be signed to the signedDataStream - - // - int byteRead; - /* - BigDecimal counter = new BigDecimal("0"); - BigDecimal one = new BigDecimal("1"); - - ByteArrayOutputStream filteredStream = new ByteArrayOutputStream(); - - while ((byteRead=contentIs.read()) >= 0) { - //System.out.println("counterXX: " + counter); - - // Wrong behaviour < 3 - // excluded bytes should not be part of the signature as 0 bytes - // they should be not part of the signature at all! - -// if (inRange(counter, dataobject)) -// filteredStream.write(0); -// else -// filteredStream.write(byteRead); -// - - // correct behaviour - if (!inRange(counter, dataobject)) { - filteredStream.write(byteRead); - } - - counter = counter.add(one); - } - byte[] data = filteredStream.toByteArray(); - signedDataStream.write(data, 0, data.length); - */ - // Stream based, this should have a better performance - FilteredOutputStream filteredOuputStream = new FilteredOutputStream( - signedDataStream, 4096, dataobject.getExcludeByteRangeFrom(), - dataobject.getExcludeByteRangeTo()); - - IOUtils.copyLarge(contentIs, filteredOuputStream); - filteredOuputStream.flush(); -// byte[] buf = new byte[4096]; -// int bytesRead; -// while ((bytesRead = contentIs.read(buf)) >= 0) { -// signedDataStream.write(buf, 0, bytesRead); -// } -// - // finish SignedData processing by closing signedDataStream - signedDataStream.close(); - String base64value = out.toString(); - - responseBuilder.addCMSSignature(base64value); - - - } catch (CMSSignatureCreationException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - - responseBuilder.addError( - moaException.getMessageId(), - moaException.getMessage()); - Logger.warn(moaException.getMessage(), e); - - } - catch (IOException e) { - throw new MOAApplicationException("2301", null, e); - } - - } - + while (singleSignatureInfoIter.hasNext()) { + final SingleSignatureInfo singleSignatureInfo = (SingleSignatureInfo) singleSignatureInfoIter.next(); + isSecurityLayerConform = singleSignatureInfo.isSecurityLayerConform(); + isPAdESConformRequired = singleSignatureInfo.isPAdESConform(); + + // PAdES conformity always requires SecurityLayer conformity, because + // certificates must be included + if (isPAdESConformRequired && !isSecurityLayerConform) { + isSecurityLayerConform = isPAdESConformRequired; + Logger.debug("Set SecurityLayerConformity to 'true' because PAdES conformity is requested"); + + } + + final DataObjectInfo dataObjectInfo = singleSignatureInfo.getDataObjectInfo(); + structure = dataObjectInfo.getStructure(); + + final CMSDataObject dataobject = dataObjectInfo.getDataObject(); + final MetaInfo metainfo = dataobject.getMetaInfo(); + + /* + * TODO: do not set SigningTime in IAIK-MOA request or any other API + * method/parameter when IAIK-MOA API is updated. Maybe also update mimetype + * solution below + */ + // does not set mimetype if PAdES conformity is requested + if (!isPAdESConformRequired) { + mimetype = metainfo.getMimeType(); + + } else { + Logger.debug("PAdES conformity requested. Does not set mimetype into CAdES signature"); + } + + final CMSContent content = dataobject.getContent(); + InputStream contentIs = null; + // build the content data + switch (content.getContentType()) { + case CMSContent.EXPLICIT_CONTENT: + contentIs = ((CMSContentExcplicit) content).getBinaryContent(); + break; + case CMSContent.REFERENCE_CONTENT: + final String reference = ((CMSContentReference) content).getReference(); + if (!"".equals(reference)) { + final ExternalURIResolver resolver = new ExternalURIResolver(); + contentIs = resolver.resolve(reference); + } else { + throw new MOAApplicationException("2301", null); + } + break; + default: { + throw new MOAApplicationException("2301", null); + } + } + + // create CMSSignatureCreationModuleFactory + final CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance(); + + final List signedProperties = null; + boolean includeData = true; + if (structure.compareTo("enveloping") == 0) { + includeData = true; + } + if (structure.compareTo("detached") == 0) { + includeData = false; + } + + final ConfigurationProvider config = context.getConfiguration(); + + // get the key group id + final String keyGroupID = request.getKeyIdentifier(); + // set the key set + final Set keySet = buildKeySet(keyGroupID); + if (keySet == null) { + throw new MOAApplicationException("2231", null); + } else if (keySet.size() == 0) { + throw new MOAApplicationException("2232", null); + } + + // get digest algorithm + final String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + + // create CMSSignatureCreation profile: + final CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( + keySet, + digestAlgorithm, + signedProperties, + isSecurityLayerConform, + includeData, + mimetype, + isPAdESConformRequired); + + // create CMSSignature from the CMSSignatureCreationModule + // build the additionalSignedProperties + final List additionalSignedProperties = buildAdditionalSignedProperties(); + final TransactionId tid = new TransactionId(context.getTransactionID()); + try { + final CMSSignature signature = module.createSignature(profile, additionalSignedProperties, tid); + final ByteArrayOutputStream out = new ByteArrayOutputStream(); + // get CMS SignedData output stream from the CMSSignature and wrap it around out + final boolean base64 = true; + final OutputStream signedDataStream = signature.getSignature(out, base64); + + // now write the data to be signed to the signedDataStream + // Stream based, this should have a better performance + final FilteredOutputStream filteredOuputStream = new FilteredOutputStream( + signedDataStream, 4096, dataobject.getExcludeByteRangeFrom(), + dataobject.getExcludeByteRangeTo()); + + IOUtils.copyLarge(contentIs, filteredOuputStream); + filteredOuputStream.flush(); + + // finish SignedData processing by closing signedDataStream + signedDataStream.close(); + final String base64value = out.toString(); + + responseBuilder.addCMSSignature(base64value); + + } catch (final CMSSignatureCreationException e) { + final MOAException moaException = IaikExceptionMapper.getInstance().map(e); + + responseBuilder.addError( + moaException.getMessageId(), + moaException.getMessage()); + Logger.warn(moaException.getMessage(), e); + + } catch (final IOException e) { + throw new MOAApplicationException("2301", null, e); + } + + } return responseBuilder.getResponse(); } - + private boolean inRange(BigDecimal counter, CMSDataObject dataobject) { - BigDecimal from = dataobject.getExcludeByteRangeFrom(); - BigDecimal to = dataobject.getExcludeByteRangeTo(); - - if ( (from == null) || (to == null)) - return false; - - int compare = counter.compareTo(from); - if (compare == -1) - return false; - else { - compare = counter.compareTo(to); - if (compare == 1) - return false; - else - return true; - } - - - + final BigDecimal from = dataobject.getExcludeByteRangeFrom(); + final BigDecimal to = dataobject.getExcludeByteRangeTo(); + + if (from == null || to == null) { + return false; + } + + int compare = counter.compareTo(from); + if (compare == -1) { + return false; + } else { + compare = counter.compareTo(to); + if (compare == 1) { + return false; + } else { + return true; + } + } + } - - private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { - // get digest method on key group level (if configured) - String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); - // get default digest method (if configured) - String configDigestMethod = config.getDigestMethodAlgorithmName(); - - - String digestMethod = null; - if (configDigestMethodKG != null) { - // if KG specific digest method is configured - digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); - if (digestMethod == null) { - error( - "config.17", - new Object[] { configDigestMethodKG}); - throw new MOASystemException("2900", null); - } - Logger.debug("Digest algorithm: " + digestMethod + "(configured in KeyGroup)"); - } - else { - // else get default configured digest method - digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); - if (digestMethod == null) { - error( - "config.17", - new Object[] { configDigestMethod}); - throw new MOASystemException("2900", null); - } - Logger.debug("Digest algorithm: " + digestMethod + "(default)"); - - } - return digestMethod; + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + // get digest method on key group level (if configured) + final String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) + final String configDigestMethod = config.getDigestMethodAlgorithmName(); + + String digestMethod = null; + if (configDigestMethodKG != null) { + // if KG specific digest method is configured + digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethodKG); + if (digestMethod == null) { + error( + "config.17", + new Object[] { configDigestMethodKG }); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethod + "(configured in KeyGroup)"); + } else { + // else get default configured digest method + digestMethod = (String) HASH_ALGORITHM_MAPPING.get(configDigestMethod); + if (digestMethod == null) { + error( + "config.17", + new Object[] { configDigestMethod }); + throw new MOASystemException("2900", null); + } + Logger.debug("Digest algorithm: " + digestMethod + "(default)"); + + } + return digestMethod; } - + /** * Utility function to issue an error message to the log. - * - * @param messageId The ID of the message to log. + * + * @param messageId The ID of the message to log. * @param parameters Additional message parameters. */ private static void error(String messageId, Object[] parameters) { - MessageProvider msg = MessageProvider.getInstance(); + final MessageProvider msg = MessageProvider.getInstance(); Logger.error(new LogMsg(msg.getMessage(messageId, parameters))); } - + /** * Build the set of <code>KeyEntryID</code>s available to the given * <code>keyGroupID</code>. - * + * * @param keyGroupID The keygroup ID for which the available keys should be - * returned. - * @return The <code>Set</code> of <code>KeyEntryID</code>s - * identifying the available keys. + * returned. + * @return The <code>Set</code> of <code>KeyEntryID</code>s identifying the + * available keys. */ private Set buildKeySet(String keyGroupID) { - TransactionContext context = - TransactionContextManager.getInstance().getTransactionContext(); - ConfigurationProvider config = context.getConfiguration(); + final TransactionContext context = + TransactionContextManager.getInstance().getTransactionContext(); + final ConfigurationProvider config = context.getConfiguration(); Set keyGroupEntries; // get the KeyGroup entries from the configuration if (context.getClientCertificate() != null) { - X509Certificate cert = context.getClientCertificate()[0]; - Principal issuer = cert.getIssuerDN(); - BigInteger serialNumber = cert.getSerialNumber(); + final X509Certificate cert = context.getClientCertificate()[0]; + final Principal issuer = cert.getIssuerDN(); + final BigInteger serialNumber = cert.getSerialNumber(); keyGroupEntries = - config.getKeyGroupEntries(issuer, serialNumber, keyGroupID); + config.getKeyGroupEntries(issuer, serialNumber, keyGroupID); } else { keyGroupEntries = config.getKeyGroupEntries(null, null, keyGroupID); } @@ -413,23 +391,23 @@ public class CMSSignatureCreationInvoker { } else if (keyGroupEntries.size() == 0) { return Collections.EMPTY_SET; } else { - KeyModule module = - KeyModuleFactory.getInstance( - new TransactionId(context.getTransactionID())); - Set keyEntryIDs = module.getPrivateKeyEntryIDs(); - Set keySet = new HashSet(); + final KeyModule module = + KeyModuleFactory.getInstance( + new TransactionId(context.getTransactionID())); + final Set keyEntryIDs = module.getPrivateKeyEntryIDs(); + final Set keySet = new HashSet(); Iterator iter; // filter out the keys that do not exist in the IAIK configuration // by walking through the key entries and checking if the exist in the // keyGroupEntries for (iter = keyEntryIDs.iterator(); iter.hasNext();) { - KeyEntryID entryID = (KeyEntryID) iter.next(); - KeyGroupEntry entry = - new KeyGroupEntry( - entryID.getModuleID(), - entryID.getCertificateIssuer(), - entryID.getCertificateSerialNumber()); + final KeyEntryID entryID = (KeyEntryID) iter.next(); + final KeyGroupEntry entry = + new KeyGroupEntry( + entryID.getModuleID(), + entryID.getCertificateIssuer(), + entryID.getCertificateSerialNumber()); if (keyGroupEntries.contains(entry)) { keySet.add(entryID); } @@ -440,18 +418,18 @@ public class CMSSignatureCreationInvoker { /** * Build the list of additional signed properties. - * + * * Based on the generic configuration setting - * <code>ConfigurationProvider.TEST_SIGNING_TIME_PROPERTY</code>, a - * constant <code>SigningTime</code> will be added to the properties. - * + * <code>ConfigurationProvider.TEST_SIGNING_TIME_PROPERTY</code>, a constant + * <code>SigningTime</code> will be added to the properties. + * * @return The <code>List</code> of additional signed properties. */ private List buildAdditionalSignedProperties() { - TransactionContext context = - TransactionContextManager.getInstance().getTransactionContext(); - ConfigurationProvider config = context.getConfiguration(); - List additionalSignedProperties = Collections.EMPTY_LIST; + final TransactionContext context = + TransactionContextManager.getInstance().getTransactionContext(); + final ConfigurationProvider config = context.getConfiguration(); + final List additionalSignedProperties = Collections.EMPTY_LIST; return additionalSignedProperties; } |