diff options
Diffstat (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa')
32 files changed, 673 insertions, 351 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index d0be7d5..5d378ce 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -316,7 +316,7 @@ public abstract class SPSSFactory { * @param profileID The profile ID to resolve during signature creation. * @return The <code>CreateSignatureEnvironmentProfile</code> containing the * given profile ID. - * + * * @pre profileID != null && profileID.length() > 0 * @post return != null */ @@ -398,8 +398,7 @@ public abstract class SPSSFactory { /** * Create a new <code>SignatureEnvironmentResponse</code> object. * - * @param signatureEnvironment The signature environment containing the - * signature. + * @param base64value Signature as Base64 encoded data * @return The <code>SignatureEnvironmentResponse</code> containing the * <code>signatureEnvironment</code>. * @@ -959,15 +958,15 @@ public abstract class SPSSFactory { /** * Create a new <code>Content</code> object containing location reference data. - * + * * @param locationReferenceURI a URI pointing to the actual remote location of * the content. - * + * * @param referenceURI An URI identifying the data. May be * <code>null</code>. - * + * * @return The <code>Content</code> object containing the data. - * + * * @pre locationReferenceURI != null * @post return != null */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java index 3d5279f..ab73c22 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java @@ -32,7 +32,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation; /** * Default implementation of - * <codeCreateSignatureEnvironmentProfileExplicit</code>. + * <code>CreateSignatureEnvironmentProfileExplicit</code>. * * @author Patrick Peck * @version $Id$ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java index d1eebca..ed6f449 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java @@ -30,7 +30,7 @@ import java.util.List; import at.gv.egovernment.moa.spss.api.xmlverify.ReferenceInfo; /** - * Default implementation of <codeReferenceInfo</code>. + * Default implementation of <code>ReferenceInfo</code>. * * @author Fatemeh Philippi * @version $Id$ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java index 173ecbf..571977e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java @@ -62,7 +62,7 @@ public class RequestParserUtils { /** * Parse a <code>XMLDataObjectAssociationType</code> kind of DOM element. - * + * * @param assocElem The <code>XMLDataObjectAssociationType</code> kind of DOM * elmeent to parse. * @return The <code>XMLDataObjectAssociation</code> API object containing the @@ -79,7 +79,7 @@ public class RequestParserUtils { /** * Parse a <code>MetaInfoType</code> kind of DOM element. - * + * * @param metaInfoElem The <code>MetaInfoType</code> kind of DOM element. * @return The <code>MetaInfo</code> API object containing the data from the * <code>metaInfoElem</code>. @@ -97,7 +97,7 @@ public class RequestParserUtils { /** * Parse a <code>ContentOptionalRefType</code> or * <code>ContentRequiredRefType</code> kind of DOM element. - * + * * @param contentParentElem The DOM element being the parent of the content * element. * @return The <code>Content</code> API object containing the data from the @@ -127,7 +127,7 @@ public class RequestParserUtils { /** * Get the signing time from a Verfiy(CMS|XML)SignatureRequest. - * + * * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> DOM * element. * @param dateTimeXPath The XPath to lookup the <code>DateTime</code> element @@ -162,11 +162,12 @@ public class RequestParserUtils { /** * Get the signing time from a Verfiy(CMS|XML)SignatureRequest. - * - * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> DOM - * element. - * @param dateTimeXPath The XPath to lookup the <code>DateTime</code> element - * within the request. + * + * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> + * DOM element. + * @param extendedValidationXPath The XPath to lookup the <code>DateTime</code> + * element within the request. + * @param defaultValue Default value if XPath value is null or empty * @return Date The date and time corresponding to the <code>DateTime</code> * element in the request. If no <code>DateTime</code> element exists in * the request, <code>null</code> is returned. diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index 1156aa1..daf3802 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -499,7 +499,7 @@ public class ResponseBuilderUtils { * element. * @param elementName The name of the newly created element. * @param code The content of the <code>Code</code> subelement. - * @param info The content of the <code>Info</code> subelement. + * @param name The content of the <code>Info</code> subelement. */ public static void addFormCheckElement( Document response, diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java index 7a246d6..beb1c15 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java @@ -23,11 +23,14 @@ package at.gv.egovernment.moa.spss.api.xmlbind; +import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.StringTokenizer; +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.traversal.NodeIterator; @@ -42,6 +45,7 @@ import at.gv.egovernment.moa.spss.api.common.XPathFilter; import at.gv.egovernment.moa.spss.api.common.XPathFilter2Transform; import at.gv.egovernment.moa.spss.api.common.XPathTransform; import at.gv.egovernment.moa.spss.api.common.XSLTTransform; +import at.gv.egovernment.moaspss.logging.Logger; import at.gv.egovernment.moaspss.util.Constants; import at.gv.egovernment.moaspss.util.DOMUtils; import at.gv.egovernment.moaspss.util.XPathUtils; @@ -137,6 +141,13 @@ public class TransformParser { } else if (XSLTTransform.XSLT.equals(algorithmUri)) { return parseXSLTTransform(transformElem); } else { + try { + Logger.info("Find suspect XML transformation: " + DOMUtils.serializeNode(transformElem)); + + } catch (TransformerException | IOException e) { + Logger.warn("Can not serialize suspect XML transformation", e); + + } throw new MOAApplicationException("1108", new Object[] { algorithmUri }); } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java index bcab978..1279d73 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java @@ -171,7 +171,7 @@ public class VerifyCMSSignatureRequestParser { // put the signatories into a List while (tokenizer.hasMoreTokens()) { try { - signatoriesList.add(new Integer(tokenizer.nextToken())); + signatoriesList.add(Integer.valueOf(tokenizer.nextToken())); } catch (final NumberFormatException e) { // this cannot occur if the request has been validated } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java index bf11240..0f1a57d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java @@ -50,18 +50,19 @@ public class CRLDistributionPoint extends DistributionPoint implements // create the mapping between reason code strings and their integer // values - RC_MAPPING.put("unused", new Integer(iaik.asn1.structures.DistributionPoint.unused)); - RC_MAPPING.put("keyCompromise", new Integer(iaik.asn1.structures.DistributionPoint.keyCompromise)); - RC_MAPPING.put("cACompromise", new Integer(iaik.asn1.structures.DistributionPoint.cACompromise)); - RC_MAPPING.put("affiliationChanged", new Integer( + RC_MAPPING.put("unused", Integer.valueOf(iaik.asn1.structures.DistributionPoint.unused)); + RC_MAPPING.put("keyCompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.keyCompromise)); + RC_MAPPING.put("cACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.cACompromise)); + RC_MAPPING.put("affiliationChanged", Integer.valueOf( iaik.asn1.structures.DistributionPoint.affiliationChanged)); - RC_MAPPING.put("superseded", new Integer(iaik.asn1.structures.DistributionPoint.superseded)); + RC_MAPPING.put("superseded", Integer.valueOf(iaik.asn1.structures.DistributionPoint.superseded)); RC_MAPPING.put("cessationOfOperation", - new Integer(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); - RC_MAPPING.put("certificateHold", new Integer(iaik.asn1.structures.DistributionPoint.certificateHold)); - RC_MAPPING.put("privilegeWithdrawn", new Integer( + Integer.valueOf(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); + RC_MAPPING.put("certificateHold", Integer.valueOf( + iaik.asn1.structures.DistributionPoint.certificateHold)); + RC_MAPPING.put("privilegeWithdrawn", Integer.valueOf( iaik.asn1.structures.DistributionPoint.privilegeWithdrawn)); - RC_MAPPING.put("aACompromise", new Integer(iaik.asn1.structures.DistributionPoint.aACompromise)); + RC_MAPPING.put("aACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.aACompromise)); } /** @@ -76,12 +77,12 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Create a <code>CRLDistributionPoint</code>. - * + * * @param issuerName The name of the CA issuing the CRL referred to by this * DP. - * + * * @param uri The URI of the distribution point. - * + * * @param reasonCodeStr A list of reason codes (a space-separated enumeration). */ public CRLDistributionPoint(String issuerName, String uri, String reasonCodeStr) { @@ -101,7 +102,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Convert a list of reason codes provided as a <code>String</code> to a binary * representation. - * + * * @param reasonCodeStr A <code>String</code> containing a blank-separated, * textual representation of reason codes. * @return int A binary representation of reason codes. @@ -143,7 +144,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a binary representation of the reason codes of this distribution * point. - * + * * @return The binary representation of the reason codes. */ @Override @@ -153,7 +154,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a <code>String</code> representation of this distribution point. - * + * * @return The <code>String</code> representation of this distribution point. * @see java.lang.Object#toString() */ @@ -163,7 +164,7 @@ public class CRLDistributionPoint extends DistributionPoint implements } /** - * @see iaik.pki.revocation.CRLDistributionPoint#getIssuerName() + * Get CRL issuer-name. */ public String getIssuerName() { return issuerName_; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 5f8b46d..09ec921 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -48,8 +48,10 @@ import org.w3c.dom.Element; import org.w3c.dom.traversal.NodeIterator; import org.xml.sax.SAXException; +import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.api.common.TSLConfiguration; import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl; +import at.gv.egovernment.moa.spss.api.xmlbind.ProfileParser; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moaspss.logging.LogMsg; import at.gv.egovernment.moaspss.logging.Logger; @@ -58,7 +60,6 @@ import at.gv.egovernment.moaspss.util.DOMUtils; import at.gv.egovernment.moaspss.util.MiscUtil; import at.gv.egovernment.moaspss.util.StringUtils; import at.gv.egovernment.moaspss.util.XPathUtils; -import iaik.asn1.structures.Name; //import iaik.ixsil.exceptions.URIException; //import iaik.ixsil.util.URI; import iaik.pki.pathvalidation.ChainingModes; @@ -96,7 +97,7 @@ public class ConfigurationPartsBuilder { private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0; private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true; - + // // XPath expressions to select certain parts of the configuration // @@ -153,6 +154,11 @@ public class ConfigurationPartsBuilder { private static final String KEYGROUP_MAPPING_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "KeyGroupMapping"; + + private static final String SIGN_PARAMS_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "Signing"; + private static final String ISSUER_XPATH = DSIG + "X509IssuerName"; private static final String SERIAL_XPATH = @@ -176,6 +182,10 @@ public class ConfigurationPartsBuilder { + CONF + "PathConstruction/" + CONF + "AutoAddEECertificates"; + private static final String STRICT_SIGNATURE_VALUE_PARSING_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "StrictSignatureValueParsing"; + private static final String USE_AUTHORITY_INFO_ACCESS_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -208,17 +218,17 @@ public class ConfigurationPartsBuilder { + CONF + "RevocationChecking/" + CONF + "CrlRetentionIntervals/" + CONF + "CA"; - + private static final String SHORT_TIME_CERTS_INTERVALS_XPATH = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" + CONF + "RevocationChecking/" + CONF + "ShortTermedCertificates"; - + private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH = SHORT_TIME_CERTS_INTERVALS_XPATH + "/" + CONF + "CA"; - + private static final String ENABLE_REVOCATION_CHECKING_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -437,7 +447,7 @@ public class ConfigurationPartsBuilder { /** * Get the connection timeout to set-up a network connection - * + * * @return timeout in milliseconds [ms] */ public int getConnectionTimeout() { @@ -459,7 +469,7 @@ public class ConfigurationPartsBuilder { return defaultConnectionTimeout * 1000; } - + public int getReadTimeout() { final String connectionTimeout = getElementValue(getConfigElem(), READ_TIMEOUT_XPATH_, "30"); @@ -571,7 +581,7 @@ public class ConfigurationPartsBuilder { entry = new BlackListEntry(host, -1); info("config.34", new Object[] { host }); } else { - entry = new BlackListEntry(host, new Integer(port).intValue()); + entry = new BlackListEntry(host, Integer.valueOf(port).intValue()); info("config.34", new Object[] { host + ":" + port }); } @@ -621,7 +631,7 @@ public class ConfigurationPartsBuilder { entry = new WhiteListEntry(host, -1); info("config.49", new Object[] { host }); } else { - entry = new WhiteListEntry(host, new Integer(port).intValue()); + entry = new WhiteListEntry(host, Integer.valueOf(port).intValue()); info("config.49", new Object[] { host + ":" + port }); } @@ -754,9 +764,22 @@ public class ConfigurationPartsBuilder { final String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); - final Set keyGroupEntries = - buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); + final Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); + + String rsaSsaPssAttr = keyGroupElem.getAttribute("RSASSA-PSS"); + Boolean useRsaSsaPss = null; + if (org.apache.commons.lang3.StringUtils.isNotEmpty(rsaSsaPssAttr)) { + useRsaSsaPss = Boolean.valueOf(keyGroupElem.getAttribute("RSASSA-PSS")); + Logger.info((useRsaSsaPss ? "Enable" : "Disable") + + " RSASSA-PSS as primary signature-algorithm for keyGroup: " + keyGroupId); + + } else { + Logger.debug("RSASSA-PSS is not defined for keyGroup: " + keyGroupId); + + } + + final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, + keyGroupDigestMethodAlgorithm, useRsaSsaPss); if (keyGroups.containsKey(keyGroupId)) { warn("config.04", new Object[] { "KeyGroup", keyGroupId }); @@ -1082,7 +1105,7 @@ public class ConfigurationPartsBuilder { /** * Build the <code>CreateSignatureEnvironmentProfile</code>s. - * + * * @return The mapping from profile ID to profile. */ public Map buildCreateSignatureEnvironmentProfiles() { @@ -1095,7 +1118,21 @@ public class ConfigurationPartsBuilder { * @return The mapping from profile ID to profile. */ public Map buildVerifyTransformsInfoProfiles() { - return loadProfiles(VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, "VerifyTransformsInfoProfile"); + Map<String, Element> profiles = loadProfiles(VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, "VerifyTransformsInfoProfile"); + + // validate entries + ProfileParser profileParser = new ProfileParser(); + profiles.entrySet().forEach(el -> { + try { + profileParser.parseVerifyTransformsInfoProfile(el.getValue()); + + } catch (MOAApplicationException e) { + Logger.warn("TransformationProfile with Id:" + el.getKey() + " is invalid: " + e.getMessage()); + } + }); + + return profiles; + } /** @@ -1116,8 +1153,8 @@ public class ConfigurationPartsBuilder { * * @return Map The profile ID to profile mapping. */ - private Map loadProfiles(String xpath, String profileRoot) { - final Map profiles = new HashMap(); + private Map<String, Element> loadProfiles(String xpath, String profileRoot) { + final Map<String, Element> profiles = new HashMap<>(); final NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), xpath); Element profileElem; @@ -1254,8 +1291,12 @@ public class ConfigurationPartsBuilder { // check if TSL support is enabled final Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); boolean tslEnabled = false; + boolean forceTslAvailability = true; + if (eutslElem != null) { tslEnabled = true; + forceTslAvailability = Boolean.valueOf(getAttributeValue( + profileElem, CONF + "EUTSL" + "/@" + "forceAvailability", String.valueOf(true))); } // load TSL configuration @@ -1266,9 +1307,12 @@ public class ConfigurationPartsBuilder { final String allowedTspServiceTypes = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "AllowedTSPServiceTypes", null); + + // create profile configuration final TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, - tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes); + tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes, forceTslAvailability); + trustProfiles.put(id, profile); } @@ -1478,7 +1522,7 @@ public class ConfigurationPartsBuilder { * Returns the JDBC URL for the revocation archive database. * * @return the JDBC URL for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCURL() { @@ -1488,9 +1532,9 @@ public class ConfigurationPartsBuilder { /** * Returns the JDBC driver class name for the revocation archive database. - * + * * @return the JDBC driver class name for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCDriverClass() { @@ -1576,13 +1620,18 @@ public class ConfigurationPartsBuilder { public boolean getAutoEEAddCertificates() { final String autoAdd = getElementValue(getConfigElem(), AUTO_ADD_EE_CERTIFICATES_XPATH_, null); - if (autoAdd != null) { + if (autoAdd != null) { return Boolean.valueOf(autoAdd).booleanValue(); - + } else { return false; - + } + } + + public boolean isStrictSignatureValueParsingEnabled() { + final String isActive = getElementValue(getConfigElem(), STRICT_SIGNATURE_VALUE_PARSING_XPATH_, "true"); + return Boolean.valueOf(isActive).booleanValue(); } @@ -1731,7 +1780,7 @@ public class ConfigurationPartsBuilder { while ((modElem = (Element) modIter.nextNode()) != null) { final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null); final String i = getElementValue(modElem, CONF + "Interval", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval); } @@ -1739,53 +1788,81 @@ public class ConfigurationPartsBuilder { return map; } - + /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * <p> + * <b>Default: </b> <code>true</code> + * </p> + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isRsaSsaPssEnabled() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SIGN_PARAMS_XPATH); + + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("RSASSA-PSS")); + Logger.debug((value ? "Enable" : "Disable") + " RSASSA-PSS as primary signature-algorithm for RSA"); + return value; + + } else { + Logger.debug("Enable RSASSA-PSS as primary signature-algorithm for RSA"); + return true; + + } + } + /** * Should ETSI extension should be used for short-time certificate validation. - * + * * @return <code>true</code> if it is used */ public boolean isShotTimeCertEtsiExtCheck() { final NodeIterator modIter = XPathUtils.selectNodeIterator( getConfigElem(), SHORT_TIME_CERTS_INTERVALS_XPATH); - + Element modElem; - if ((modElem = (Element) modIter.nextNode()) != null) { - Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); - Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); + Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); return value; - + } - - return SHORT_TIME_CERT_DEFAULT_ETSI; + + return SHORT_TIME_CERT_DEFAULT_ETSI; } - + + /** * Get default shortTime certificate interval. - * + * * @return Time in minutes */ public int getShotTimeCertDefaultInterval() { final NodeIterator modIter = XPathUtils.selectNodeIterator( getConfigElem(), SHORT_TIME_CERTS_INTERVALS_XPATH); - + Element modElem; if ((modElem = (Element) modIter.nextNode()) != null) { String defaultString = modElem.getAttribute("defaultValidityPeriod"); Logger.debug("Set default shortTimePeriodInterval to: " + defaultString); return Integer.valueOf(defaultString); - + } - - return SHORT_TIME_CERT_DEFAULT_INTERVAL; + + return SHORT_TIME_CERT_DEFAULT_INTERVAL; } - - + + /** * Returns a map of shortTime certificate intervals. - * + * * <p> * No revocation checks are performed during this interval. * </p> @@ -1803,13 +1880,13 @@ public class ConfigurationPartsBuilder { final String x509IssuerName = ConfigurationProvider.normalizeX500Names( getElementValue(modElem, CONF + "X509IssuerName", null)); final String i = getElementValue(modElem, CONF + "ValidityPeriod", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(x509IssuerName, interval); Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); - + } return map; } - + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 85930b2..6856e56 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -103,6 +103,9 @@ public class ConfigurationProvider { /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; + /** The default of use RSASSA-PSS if supported */ + private boolean useRsaSsaPss; + /** The XAdES version used for signature creation */ private String xadesVersion; @@ -112,6 +115,9 @@ public class ConfigurationProvider { private int connectionTimeout; private int readTimeout; + /** Enable strict parsing or ASN.1 signature values */ + private boolean strictSignatureValueParsing = true; + /** * A <code>List</code> of <code>HardwareCryptoModule</code> objects for * configuring hardware modules. @@ -258,12 +264,12 @@ public class ConfigurationProvider { */ private Map crlRetentionIntervals; - + private boolean useShortTimeCertificateEtisExt; private int defaultShortTimeCertificatePeriod; private Map<String, Integer> shortTimeCertificatePeriods; - - + + /** * Indicates wether external URIs are allowed or not */ @@ -372,6 +378,8 @@ public class ConfigurationProvider { // check TSL configuration checkTSLConfiguration(); + useRsaSsaPss = builder.isRsaSsaPssEnabled(); + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -384,13 +392,15 @@ public class ConfigurationProvider { allKeyModules.addAll(softwareKeyModules); keyGroups = builder.buildKeyGroups(allKeyModules); keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); - + this.connectionTimeout = builder.getConnectionTimeout(); Logger.debug("Set 'Connection-Timeout' to " + String.valueOf(this.connectionTimeout) + "[ms]"); - + this.readTimeout = builder.getReadTimeout(); Logger.debug("Set 'Read-Timeout' to " + String.valueOf(this.readTimeout) + "[ms]"); - + + strictSignatureValueParsing = builder.isStrictSignatureValueParsingEnabled(); + pdfAsConfiguration = builder.getPDFASConfiguration(); adesFormResults = builder.getAdesFormResult(); xadesVersion = builder.getXAdESVersion(); @@ -425,7 +435,7 @@ public class ConfigurationProvider { shortTimeCertificatePeriods = builder.getShotTimeCertIntervals(); defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval(); useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck(); - + allowExternalUris_ = builder.allowExternalUris(); if (allowExternalUris_) { @@ -551,6 +561,15 @@ public class ConfigurationProvider { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isUseRsaSsaPss() { + return useRsaSsaPss; + } + + /** * Return the XAdES version used for signature creation. * * @return The XAdES version used for signature creation, or an empty @@ -681,7 +700,7 @@ public class ConfigurationProvider { // Entry thisEntry = (Entry) entries.next(); // System.out.println("Entry: " + thisEntry.getKey()); // System.out.println("Value: " + thisEntry.getValue()); -// } +// } mapping = (Map) keyGroupMappings.get(issuerAndSerial); if (mapping != null) { @@ -972,6 +991,19 @@ public class ConfigurationProvider { } /** + * Activates / deactivates strict parsing of ASN.1 encoded signature values. + * + * <p> + * <b>Default:</b> true + * </p> + * + * @return <code>true</code> if enabled, otherwise <code>false</code> + */ + public boolean isStrictSignatureValueParsing() { + return strictSignatureValueParsing; + } + + /** * Returns whether the certificate extension Authority Info Access should be * used during certificate path construction. * @@ -1008,7 +1040,7 @@ public class ConfigurationProvider { public TSLConfiguration getTSLConfiguration() { return tslconfiguration_; } - + public int getDefaultShortTimeCertificatePeriod() { return defaultShortTimeCertificatePeriod; } @@ -1021,20 +1053,20 @@ public class ConfigurationProvider { return shortTimeCertificatePeriods; } - - + + public static final String normalizeX500Names(String x500Name) { try { final RFC2253NameParser parser = new RFC2253NameParser(x500Name); final Name name = parser.parse(); return name.getRFC2253String(); - + } catch (final RFC2253NameParserException e) { Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is"); return x500Name; - + } - + } - + }
\ No newline at end of file diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index faeaf82..fc374ab 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -42,6 +42,9 @@ public class KeyGroup { /** The digest method algorithm for the key group */ private final String digestMethodAlgorithm; + /** Use RSASSA-PSS if supported */ + private final Boolean useRsaSsaPss; + /** * Create a <code>KeyGroup</code>. * @@ -51,9 +54,25 @@ public class KeyGroup { * @param digestMethodAlgorithm The signature algorithm used for this key group */ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { + this(id, keyGroupEntries, digestMethodAlgorithm, true); + + } + + /** + * Create a <code>KeyGroup</code>. + * + * @param id The ID of this <code>KeyGroup</code>. + * @param keyGroupEntries The keys belonging to this + * <code>KeyGroup</code>. + * @param useRsaSsaPss Use RSASSA-PSS if available and supported + * @param digestMethodAlgorithm The signature algorithm used for this key group + */ + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm, Boolean useRsaSsaPss) { this.id = id; this.keyGroupEntries = keyGroupEntries; this.digestMethodAlgorithm = digestMethodAlgorithm; + this.useRsaSsaPss = useRsaSsaPss; + } /** @@ -84,6 +103,17 @@ public class KeyGroup { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, <code>false</code> if + * it is disabled, or <code>null</code> if it is undefined + */ + public Boolean isUseRsaSsaPass() { + return useRsaSsaPss; + + } + + /** * Return a <code>String</code> representation of this <code>KeyGroup</code>. * * @return The <code>String</code> representation. @@ -102,7 +132,7 @@ public class KeyGroup { } } return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " - + digestMethodAlgorithm; + + digestMethodAlgorithm + useRsaSsaPss != null ? ("RSASSA-PSS: " + useRsaSsaPss) : ""; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 94155d6..31a2fc5 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -51,6 +51,7 @@ public class TrustProfile { /** Defines if Trustprofile makes use of EU TSL */ private final boolean tslEnabled; + private final boolean forceTslAvailability; /** The countries given */ private final List<String> countries = new ArrayList<>(); @@ -71,13 +72,15 @@ public class TrustProfile { * @param allowedTspStatus */ public TrustProfile(String id, String uri, String signerCertsUri, - boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes) { + boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes, + boolean forceTslAvailability) { this.id = id; this.uri = uri; this.signerCertsUri = signerCertsUri; // TSL configuration parameters this.tslEnabled = tslEnabled; + this.forceTslAvailability = forceTslAvailability; if (tslEnabled) { setCountries(countries); @@ -96,6 +99,9 @@ public class TrustProfile { Logger.info("TrustProfile " + id + " allows " + Arrays.toString(this.allowedTspServiceTypes.toArray()) + " TSL service-type identifier"); + Logger.info("TrustProfile " + id + + (forceTslAvailability ? " enforce" : " not enforce") + " TSL availability"); + } } @@ -202,6 +208,15 @@ public class TrustProfile { } /** + * Indicates of TSL must or should be available. + * + * @return <code>true</code> of TSL must be available + */ + public boolean isForceTslAvailability() { + return forceTslAvailability; + } + + /** * Returns the given countries * * @return Given countries diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java index d660c7a..e5b6025 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.cmssign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -63,15 +65,36 @@ public class CMSSignatureCreationProfileImpl /** Digest Method algorithm */ private String digestMethod; private final boolean isPAdESConform; + private final boolean rsaSsaPss; + + public CMSSignatureCreationProfileImpl( + Set keySet, + String digestMethod, + List signedProperties, + boolean securityLayerConform, + boolean includeData, + String mimeType, + boolean isPAdESConform) { + this(keySet, digestMethod, signedProperties, securityLayerConform, includeData, mimeType, + isPAdESConform, true); + + } /** - * Create a new <code>XMLSignatureCreationProfileImpl</code>. + * Creates a CMS based signature-creation profile. * - * @param createProfileCount Provides external information about the number of - * calls to the signature creation module, using the - * same request. - * @param reservedIDs The set of IDs that must not be used while - * generating new IDs. + * @param keySet Set of signing keys + * @param digestMethod Hash algorithm + * @param signedProperties List of signing properties + * @param securityLayerConform If <code>true</code> create a CAdES-B signature, + * otherwise CMS signature + * @param includeData If <code>true</code> create an embedded + * signature, otherwise a detached + * @param mimeType MimeType to be set + * @param isPAdESConform If <code>true</code> signature fulfill PAdES + * requirements + * @param rsaSsaPss If <code>true</code> use RSASSA-PSS algorithms, + * otherwise RSA#1.5 */ public CMSSignatureCreationProfileImpl( Set keySet, @@ -80,7 +103,8 @@ public class CMSSignatureCreationProfileImpl boolean securityLayerConform, boolean includeData, String mimeType, - boolean isPAdESConform) { + boolean isPAdESConform, + boolean rsaSsaPss) { this.keySet = keySet; this.signedProperties = signedProperties; this.securityLayerConform = securityLayerConform; @@ -88,6 +112,7 @@ public class CMSSignatureCreationProfileImpl this.mimeType = mimeType; this.digestMethod = digestMethod; this.isPAdESConform = isPAdESConform; + this.rsaSsaPss = rsaSsaPss; } @@ -131,11 +156,70 @@ public class CMSSignatureCreationProfileImpl null); } + final String selectedSigAlg = selectBestSigAlg(algorithms, selectedKeyID); + Logger.trace("Selecting SigAlg: " + selectedSigAlg); + return selectedSigAlg; + + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + @Override + public List getSignedProperties() { + return signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + @Override + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature is to + * be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + public void setDigestMethod(String digestMethod) { + this.digestMethod = digestMethod; + } + + @Override + public String getMimeType() { + return mimeType; + } + + @Override + public boolean includeData() { + return this.includeData; + } + + @Override + public boolean isPAdESConform() { + return this.isPAdESConform; + } + + private String selectBestSigAlg(Set algorithms, KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + Logger.trace("Key: " + selectedKeyID + " supports signingAlgs: " + StringUtils.join(algorithms, ",")); + + // TODO: maybe add support for parameterized RSASSA-PSS + if (digestMethod.compareTo("SHA-1") == 0) { Logger.warn( "SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); - if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { @@ -152,7 +236,11 @@ public class CMSSignatureCreationProfileImpl } } else if (digestMethod.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -168,7 +256,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -184,7 +275,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { @@ -205,52 +299,6 @@ public class CMSSignatureCreationProfileImpl null, null); } - - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() - */ - @Override - public List getSignedProperties() { - return signedProperties; - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() - */ - @Override - public boolean isSecurityLayerConform() { - return securityLayerConform; - } - - /** - * Sets the security layer conformity. - * - * @param securityLayerConform <code>true</code>, if the created signature is to - * be conform to the Security Layer specification. - */ - public void setSecurityLayerConform(boolean securityLayerConform) { - this.securityLayerConform = securityLayerConform; - } - - public void setDigestMethod(String digestMethod) { - this.digestMethod = digestMethod; - } - - @Override - public String getMimeType() { - return mimeType; - } - - @Override - public boolean includeData() { - return this.includeData; - } - - @Override - public boolean isPAdESConform() { - return this.isPAdESConform; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java index d1b776b..befeab7 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java @@ -43,7 +43,6 @@ import iaik.pki.store.revocation.RevocationStoreException; * A customized implementation of * {@link iaik.pki.store.revocation.RevocationInfoRetriever}. Will be used * instead of the default implementation - * {@link iaik.pki.store.revocation.CRLRetriever} to overcome a classloader * problem in connection with the {@link java.net.URL} class in a Tomcat * deployment environment. * diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java index 22cceeb..0e12f89 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java @@ -28,7 +28,6 @@ import iaik.pki.store.revocation.archive.DataBaseArchiveParameters; /** * An implementation of the <code>DataBaseArchiveParameter</code> interface. * - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter * @author Patrick Peck * @version $Id$ */ @@ -46,9 +45,6 @@ public class DataBaseArchiveParameterImpl implements DataBaseArchiveParameters { this.jDBCUrl = jDBCUrl; } - /** - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter#getJDBCUrl() - */ @Override public String getJDBCUrl() { return jDBCUrl; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java index a53bce8..f15bbb3 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java @@ -65,7 +65,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Create a new <code>PKIProfileImpl</code>. - * + * * @param config The MOA configuration providing configuration data * about certificate path validation. * @param trustProfileID The trust profile ID denoting the location of the trust @@ -83,58 +83,6 @@ public class PKIProfileImpl implements PKIProfile { } - private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { - final TrustProfile tp = config.getTrustProfile(trustProfileId); - if (tp != null) { - // build directory based trust store as default - - if (tp.isTSLEnabled()) { - TslTrustStoreProfile tslTrustStore; - try { - if (!TSLServiceFactory.isInitialized()) { - Logger.error("Can not build TrustProfile:" + trustProfileId - + " Reason: TrustProfile needs TSL support but TSL client NOT initialized."); - throw new TslPKIException("Trust Status-List service client is NOT initialized"); - - } - - // build TSL truststore if enabled - tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile( - tp.getCountries(), - tp.getAllowedTspStatus(), - tp.getAllowedTspServiceTypes(), - trustProfileId + "_TSL"); - - // build Directory based TrustStore - final TrustStoreProfileImpl directoryTrustStore = new TrustStoreProfileImpl(trustProfileId - + "_Directory", tp.getUri()); - - // generate a virtual truststore that concatenates the TSL TrustStore and the - // directory TrustStore - final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( - Arrays.asList(tslTrustStore, directoryTrustStore), - trustProfileId); - - // set this virtual truststore - setTrustStoreProfile(chainedProfile); - - } catch (final TslPKIException e) { - Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); - throw new MOAApplicationException("2900", new Object[] { trustProfileId }); - - } - - } else { - setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); - } - - } else { - throw new MOAApplicationException("2203", new Object[] { trustProfileId }); - - } - - } - /** * @see iaik.pki.PKIProfile#autoAddCertificates() */ @@ -153,7 +101,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>RevocationProfile</code>. - * + * * @param revocationProfile The <code>RevocationProfile</code> used for * revocation checking. */ @@ -171,7 +119,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>TrustStoreProfile</code>. - * + * * @param trustStoreProfile The <code>TrustStoreProfile</code>. */ protected void setTrustStoreProfile(TrustStoreProfile trustStoreProfile) { @@ -188,7 +136,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>ValidationProfile</code>. - * + * * @param validationProfile The <code>ValidationProfile</code> to set. */ protected void setValidationProfile(ValidationProfile validationProfile) { @@ -211,15 +159,15 @@ public class PKIProfileImpl implements PKIProfile { if (config.getAutoAddCertificates()) { if (config.getAutoAddEECertificates()) { return PKIProfile.AUTO_ADD_ENABLE; - + } else { return PKIProfile.AUTO_ADD_EE_DISABLE; - + } } else { return PKIProfile.AUTO_ADD_DISABLE; - + } } @@ -230,4 +178,69 @@ public class PKIProfileImpl implements PKIProfile { return null; } + private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { + final TrustProfile tp = config.getTrustProfile(trustProfileId); + if (tp != null) { + // build directory based trust store as default + + if (tp.isTSLEnabled()) { + buildTrustStoreWithTslSupport(tp); + + } else { + setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); + } + + } else { + throw new MOAApplicationException("2203", new Object[] { trustProfileId }); + + } + } + + private void buildTrustStoreWithTslSupport(TrustProfile tp) throws MOAApplicationException { + try { + if (!TSLServiceFactory.isInitialized()) { + if (tp.isForceTslAvailability()) { + Logger.error("Can not build TrustProfile:" + tp.getId() + + " Reason: TrustProfile needs TSL support but TSL client NOT initialized."); + throw new TslPKIException("Trust Status-List service client is NOT initialized"); + + } else { + Logger.warn("Can not fully initialize TrustProfile:" + tp.getId() + + ", because TrustProfile needs TSL support but TSL client NOT initialized. Ignoring TSL support ... "); + setTrustStoreProfile(new TrustStoreProfileImpl(tp.getId(), tp.getUri())); + + } + + } else { + + // build TSL truststore if enabled + TslTrustStoreProfile tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile( + tp.getCountries(), + tp.getAllowedTspStatus(), + tp.getAllowedTspServiceTypes(), + tp.getId() + "_TSL"); + + // build Directory based TrustStore + final TrustStoreProfileImpl directoryTrustStore = + new TrustStoreProfileImpl(tp.getId() + "_Directory", tp.getUri()); + + // generate a virtual truststore that concatenates the TSL TrustStore and the + // directory TrustStore + final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( + Arrays.asList(tslTrustStore, directoryTrustStore), + tp.getId()); + + // set this virtual truststore + setTrustStoreProfile(chainedProfile); + + } + + } catch (final TslPKIException e) { + Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); + throw new MOAApplicationException("2900", new Object[] { tp.getId() }); + + } + + } + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java index 9ef3764..7a036ec 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java @@ -60,10 +60,9 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { /** * Create a new <code>TrustStoreProfileImpl</code>. * - * @param config The MOA configuration data, from which trust store - * configuration data is read. - * @param trustProfileId The trust profile id on which this - * <code>TrustStoreProfile</code> is based. + * @param trustProfileId The trust profile id on which this + * <code>TrustStoreProfile</code> is based. + * @param trustProfileUri File path to trust profile * @throws MOAApplicationException The <code>trustProfileId</code> could not be * found in the MOA configuration. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 516e3d8..b0fea7f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -76,6 +78,7 @@ public class XMLSignatureCreationProfileImpl private final IdGenerator propertyIDGenerator; /** The selected digest method algorithm if XAdES 1.4.2 is used */ private final String digestMethodXAdES142; + private final boolean rsaSsaPss; /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. @@ -85,11 +88,12 @@ public class XMLSignatureCreationProfileImpl * same request. * @param reservedIDs The set of IDs that must not be used while * generating new IDs. + * @param useRsaSsaPss Use RSASSA-PSS if supported */ public XMLSignatureCreationProfileImpl( int createProfileCount, Set reservedIDs, - String digestMethodXAdES142) { + String digestMethodXAdES142, boolean useRsaSsaPss) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -99,6 +103,8 @@ public class XMLSignatureCreationProfileImpl propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); this.digestMethodXAdES142 = digestMethodXAdES142; + this.rsaSsaPss = useRsaSsaPss; + } /** @@ -159,6 +165,14 @@ public class XMLSignatureCreationProfileImpl @Override public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + String sigAlgIdentifier = getInternalSignatureAlgorithmName(selectedKeyID); + Logger.debug("Selected SignatureAlgorithmIdentifier: " + sigAlgIdentifier); + return sigAlgIdentifier; + + } + + private String getInternalSignatureAlgorithmName(KeyEntryID selectedKeyID) + throws AlgorithmUnavailableException { final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); @@ -174,21 +188,35 @@ public class XMLSignatureCreationProfileImpl e, null); } + Logger.trace("RSASSA-PSS: " + rsaSsaPss + " XAdESDigistAlg: " + digestMethodXAdES142 + + " Algorithms: " + StringUtils.join(algorithms, ",")); + // TODO: maybe add support for parameterized RSASSA-PSS if (digestMethodXAdES142 == null) { // XAdES 1.4.2 not enabled - legacy MOA - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + if (rsaSsaPss + && (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1))) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + + return SignatureAlgorithms.SHA256_WITH_RSA; - return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { return SignatureAlgorithms.ECDSA; + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { return SignatureAlgorithms.DSA; + } else { throw new AlgorithmUnavailableException( "No algorithm for key entry: " + selectedKeyID, @@ -219,7 +247,10 @@ public class XMLSignatureCreationProfileImpl } } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -235,7 +266,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -251,7 +285,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 9ba731d..d8d99bd 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -47,6 +47,7 @@ import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import at.gv.egovernment.moaspss.util.Constants; import at.gv.egovernment.moaspss.util.DOMUtils; +import iaik.asn1.INTEGER; import iaik.asn1.ObjectID; import iaik.pkcs.pkcs12.PKCS12KeyStore; import iaik.server.ConfigurationData; @@ -61,12 +62,12 @@ import iaik.utils.RFC2253NameParser; public class SystemInitializer { private static final org.slf4j.Logger logger = LoggerFactory.getLogger(SystemInitializer.class); - + /** * 15 min TSL reload scheduler interval. */ private static final long TSL_SCHEDULE_INTERVAL = 5*60*1000; - + /** Interval between archive cleanups in seconds */ private static final long ARCHIVE_CLEANUP_INTERVAL = 60 * 60; // 1h @@ -115,10 +116,10 @@ public class SystemInitializer { RFC2253NameParser.register( "organizationIdentifier", new ObjectID("2.5.4.97", "organizationIdentifier", (String) null, false)); - + // initialize configuration initializeMoaSigConfiguraion(); - + // start the archive cleanup thread Thread archiveCleaner = new Thread(new RevocationArchiveCleaner(ARCHIVE_CLEANUP_INTERVAL)); @@ -149,9 +150,9 @@ public class SystemInitializer { private static void initializeMoaSigConfiguraion() { final MessageProvider msg = MessageProvider.getInstance(); - + try { - + Logger.info("Initialize MOA-SP/SS configuration ... "); config = ConfigurationProvider.getInstance(); @@ -177,12 +178,17 @@ public class SystemInitializer { iaikConfiguration = IaikConfigurator.configure(config); runInitializer(config); - - // set Fallback mode in IAIK KeyStore implementation to 'true' to fix problems default behavior of JVM + + // set Fallback mode in IAIK KeyStore implementation to 'true' to fix problems default behavior of JVM PKCS12KeyStore.setUseJKSFallBack(true); - Logger.info("Set fallback mode in: " + PKCS12KeyStore.class.getSimpleName() + Logger.info("Set fallback mode in: " + PKCS12KeyStore.class.getSimpleName() + " to :" + PKCS12KeyStore.getUseJKSFallBack()); - + + INTEGER.checkForMinumumLengthEncoding(config.isStrictSignatureValueParsing()); + Logger.info(config.isStrictSignatureValueParsing() ? "Enable" + : "Disable" + + " strict parsing of ASN.1 encoded signature values"); + Logger.info(new LogMsg(msg.getMessage("init.01", null))); } catch (final MOAException e) { @@ -193,9 +199,9 @@ public class SystemInitializer { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); throw new RuntimeException(e); - } + } } - + private static void loadXsdSchemaIntoXmlParser() { // parsing/validating try { @@ -221,10 +227,10 @@ public class SystemInitializer { } } catch (final IOException e) { Logger.warn(new LogMsg(MessageProvider.getInstance().getMessage("init.04", null)), e); - - } + + } } - + private static void initTSLUpdateTask(TSLConfiguration tslconfig) { final MessageProvider msg = MessageProvider.getInstance(); if (tslconfig != null) { @@ -254,14 +260,14 @@ public class SystemInitializer { if (start.before(now)) { start = new Date(start.getTime() + 86400000); } - + Logger.debug(new LogMsg(msg.getMessage("config.46", new String[] { start.toString(), "" + period }))); // start TSL updater task final Timer timer = new Timer("TSL_DB_Updater"); - timer.schedule(new TSLUpdaterTimerTask(start, period), + timer.schedule(new TSLUpdaterTimerTask(start, period), new Date(now.getTime() + TSL_SCHEDULE_INTERVAL), TSL_SCHEDULE_INTERVAL); - + } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java index 2e7445e..4ae1866 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -40,6 +40,7 @@ import java.util.Map; import java.util.Set; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.StringUtils; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; @@ -74,6 +75,8 @@ import iaik.server.modules.cmssign.CMSSignatureCreationProfile; import iaik.server.modules.keys.KeyEntryID; import iaik.server.modules.keys.KeyModule; import iaik.server.modules.keys.KeyModuleFactory; +import iaik.xml.crypto.utils.URI; +import iaik.xml.crypto.utils.URIException; /** * A class providing an API based interface to the @@ -190,26 +193,7 @@ public class CMSSignatureCreationInvoker { Logger.debug("PAdES conformity requested. Does not set mimetype into CAdES signature"); } - final CMSContent content = dataobject.getContent(); - InputStream contentIs = null; - // build the content data - switch (content.getContentType()) { - case CMSContent.EXPLICIT_CONTENT: - contentIs = ((CMSContentExcplicit) content).getBinaryContent(); - break; - case CMSContent.REFERENCE_CONTENT: - final String reference = ((CMSContentReference) content).getReference(); - if (!"".equals(reference)) { - final ExternalURIResolver resolver = new ExternalURIResolver(); - contentIs = resolver.resolve(reference); - } else { - throw new MOAApplicationException("2301", null); - } - break; - default: { - throw new MOAApplicationException("2301", null); - } - } + InputStream contentIs = readContentToSign(dataobject.getContent(), context); // create CMSSignatureCreationModuleFactory final CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance(); @@ -237,6 +221,7 @@ public class CMSSignatureCreationInvoker { // get digest algorithm final String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + final boolean useRsaSsaPss = isRsaSsaPssActive(config, keyGroupID); // create CMSSignatureCreation profile: final CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( @@ -246,7 +231,8 @@ public class CMSSignatureCreationInvoker { isSecurityLayerConform, includeData, mimetype, - isPAdESConformRequired); + isPAdESConformRequired, + useRsaSsaPss); // create CMSSignature from the CMSSignatureCreationModule // build the additionalSignedProperties @@ -291,6 +277,53 @@ public class CMSSignatureCreationInvoker { return responseBuilder.getResponse(); } + private InputStream readContentToSign(CMSContent content, TransactionContext context) + throws MOAApplicationException { + InputStream contentIs = null; + // build the content data + switch (content.getContentType()) { + case CMSContent.EXPLICIT_CONTENT: + contentIs = ((CMSContentExcplicit) content).getBinaryContent(); + break; + + case CMSContent.REFERENCE_CONTENT: + final String reference = ((CMSContentReference) content).getReference(); + if (StringUtils.isNotEmpty(reference) && reference.startsWith("cid:")) { + try { + URI uri = new URI(reference); + Logger.trace("Selecting attachement with Id: " + uri.getPath() + " ..."); + contentIs = context.getAttachmentInputStream(uri); + if (contentIs == null) { + Logger.warn("No attachment with Id: " + reference); + throw new MOAApplicationException("2301", null); + + } + + } catch (URIException e) { + Logger.warn("Can not get attachment with Id: " + reference); + throw new MOAApplicationException("2301", null, e); + + } + + } else if (StringUtils.isNotEmpty(reference)) { + final ExternalURIResolver resolver = new ExternalURIResolver(); + contentIs = resolver.resolve(reference); + + } else { + throw new MOAApplicationException("2301", null); + + } + break; + + default: { + throw new MOAApplicationException("2301", null); + } + } + + return contentIs; + + } + private boolean inRange(BigDecimal counter, CMSDataObject dataobject) { final BigDecimal from = dataobject.getExcludeByteRangeFrom(); final BigDecimal to = dataobject.getExcludeByteRangeTo(); @@ -313,13 +346,23 @@ public class CMSSignatureCreationInvoker { } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { // get digest method on key group level (if configured) final String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) final String configDigestMethod = config.getDigestMethodAlgorithmName(); + String digestMethod = null; if (configDigestMethodKG != null) { // if KG specific digest method is configured diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index e18f957..7aca40e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -86,7 +86,7 @@ public class CMSSignatureVerificationInvoker { /** * Return the only instance of this class. - * + * * @return The only instance of this class. */ public static synchronized CMSSignatureVerificationInvoker getInstance() { @@ -98,7 +98,7 @@ public class CMSSignatureVerificationInvoker { /** * Create a new <code>CMSSignatureVerificationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected CMSSignatureVerificationInvoker() { @@ -106,7 +106,7 @@ public class CMSSignatureVerificationInvoker { /** * Verify a CMS signature. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the CMS * signature, as well as additional data needed for verification. * @return Element A <code>VerifyCMSSignatureResponse</code> containing the @@ -118,7 +118,7 @@ public class CMSSignatureVerificationInvoker { final CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory( request); - final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); + final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); final LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); InputStream signature; @@ -219,7 +219,7 @@ public class CMSSignatureVerificationInvoker { } } - final QCSSCDResult qcsscdresult = new QCSSCDResult(); + final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); // build the response: for each signatory add the result to the response signatories = request.getSignatories(); @@ -248,7 +248,7 @@ public class CMSSignatureVerificationInvoker { handlePDFResult(resultObject, responseBuilder, trustProfile); } } catch (final IndexOutOfBoundsException e) { - throw new MOAApplicationException("2249", new Object[] { new Integer(sigIndex) }); + throw new MOAApplicationException("2249", new Object[] { Integer.valueOf(sigIndex) }); } } } @@ -343,8 +343,6 @@ public class CMSSignatureVerificationInvoker { PDFSignatureVerificationResult cmsResult = null; List adesResults = null; boolean extendedVerification = false; - final Boolean coversFullDoc = null; - final int[] sigByteRange = null; ExtendedCertificateCheckResult extCheckResult = null; if (resultObject instanceof ExtendedPDFSignatureVerificationResult) { @@ -404,8 +402,8 @@ public class CMSSignatureVerificationInvoker { i++; } - qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile - .isTSLEnabled(), ConfigurationProvider.getInstance()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), + trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); // get signer certificate issuer country code issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); @@ -421,7 +419,7 @@ public class CMSSignatureVerificationInvoker { /** * Get the signed content contained either in the request itself or given as a * reference to external data. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the * signed content (or the reference to the signed content). * @return InputStream A stream providing the signed content data, or diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java index bc5d884..bca9b8e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java @@ -69,12 +69,12 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>SignatureEnvironment</code> element to the response. * - * @param signatureEnvironment The content to put under the - * <code>SignatureEnvironment</code> element. This - * should either be a <code>dsig:Signature</code> - * element (in case of a detached signature) or the - * signature environment containing the signature - * (in case of an enveloping signature). + * @param base64value The content to put under the + * <code>SignatureEnvironment</code> element. This should + * either be a <code>dsig:Signature</code> element (in case + * of a detached signature) or the signature environment + * containing the signature (in case of an enveloping + * signature). */ public void addCMSSignature(String base64value) { final CMSSignatureResponse responseElement = @@ -84,7 +84,7 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>ErrorResponse</code> element to the response. - * + * * @param errorCode The error code. * @param info Additional information about the error. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 813d28e..79b4c29 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -74,15 +74,26 @@ public class VerifyCMSSignatureResponseBuilder { /** * Add a verification result to the response. * - * @param result The result to add. - * @param trustprofile The actual trustprofile - * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the - * certificate as qualified, otherwise <code>false</code>. - * @param checkSSCD <code>true</code>, if the TSL check verifies the - * signature based on a SSDC, otherwise - * <code>false</code>. - * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from - * the TSL, otherwise <code>false</code>. + * @param result The result to add. + * @param trustProfile The actual trustprofile + * @param checkQC <code>true</code>, if the TSL check + * verifies the certificate as qualified, + * otherwise <code>false</code>. + * @param qcSourceTSL <true> if QC info comes from the TSL, + * otherwise <code>false</code>. + * @param checkSSCD <code>true</code>, if the TSL check + * verifies the signature based on a SSDC, + * otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD + * information comes from the TSL, + * otherwise <code>false</code>. + * @param issuerCountryCode TSL issuer country + * @param adesResults Form validation results + * @param extendedCertificateCheckResult Extended validation results + * @param tslInfos Full TSL validation result + * @param extendedVerification <code>true</code> if extended + * validation was used, otherwise + * <code>false</code> * @throws MOAException */ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, @@ -150,7 +161,7 @@ public class VerifyCMSSignatureResponseBuilder { } /** - * + * * @param result * @param trustProfile * @param checkQC diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 7e882ed..25ce8d1 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -515,7 +515,7 @@ public class VerifyXMLSignatureResponseBuilder { try { if (refInfo.isHashCalculated() && !refInfo.isHashValid()) { - failedReferencesList.add(new Integer(i + 1)); + failedReferencesList.add(Integer.valueOf(i + 1)); } } catch (final HashUnavailableException e) { // nothing to do here because we called refInfo.isHashCalculated first diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index c097b0c..46c4983 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -191,8 +191,10 @@ public class XMLSignatureCreationProfileFactory { } } + final XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142, + isRsaSsaPssActive(config, keyGroupID)); // build the transformation supplements createTransformsProfiles = @@ -260,6 +262,21 @@ public class XMLSignatureCreationProfileFactory { return profile; } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + + Logger.trace("Config using RSASSA-PSS. KeyStore: " + + useRsaSsaPssKg != null + ? useRsaSsaPssKg + : "NOT-DEFINED" + + " Default: " + config); + + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + /** * Get the <code>List</code> of all <code>CreateTransformsInfoProfile</code>s * contained in all the <code>DataObjectInfo</code>s of the given diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index b97cc95..0fb2d82 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -110,34 +110,27 @@ import iaik.xml.crypto.utils.URIException; public class XMLSignatureVerificationInvoker { /** The single instance of this class. */ - private static XMLSignatureVerificationInvoker instance = null; + private static final XMLSignatureVerificationInvoker INSTANCE = new XMLSignatureVerificationInvoker(); - private static Set FILTERED_REF_TYPES; - - static { - FILTERED_REF_TYPES = new HashSet(); - FILTERED_REF_TYPES.add(DsigManifest.XML_DSIG_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD); - FILTERED_REF_TYPES.add(XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties"); - FILTERED_REF_TYPES.add("http://uri.etsi.org/01903#SignedProperties"); - } + private static final Set<String> FILTERED_REF_TYPES = Set.of( + DsigManifest.XML_DSIG_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD, + XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties", + "http://uri.etsi.org/01903#SignedProperties"); /** * Get the single instance of this class. - * + * * @return The single instance of this class. */ - public static synchronized XMLSignatureVerificationInvoker getInstance() { - if (instance == null) { - instance = new XMLSignatureVerificationInvoker(); - } - return instance; + public static XMLSignatureVerificationInvoker getInstance() { + return INSTANCE; } /** * Create a new <code>XMLSignatureCreationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected XMLSignatureVerificationInvoker() { @@ -146,8 +139,8 @@ public class XMLSignatureVerificationInvoker { /** * Process the <code>VerifyXMLSignatureRequest<code> message and invoke the * <code>XMLSignatureVerificationModule</code>. - * - * @param request A <code>VerifyXMLSignatureRequest<code> API object + * + * @param request A <code>VerifyXMLSignatureRequest<code> API object * containing the data for verifying an XML signature. * @return A <code>VerifyXMLSignatureResponse</code> containing the answert * to the <code>VerifyXMLSignatureRequest</code>. MOA schema @@ -307,16 +300,16 @@ public class XMLSignatureVerificationInvoker { /** * Checks if the signer certificate matches one of the allowed signer * certificates specified in the provided <code>trustProfile</code>. - * + * * @param result The result produced by the * <code>XMLSignatureVerificationModule</code>. - * + * * @param trustProfile The trust profile the signer certificate is validated * against. - * + * * @return The overal result of the certificate validation for the signer * certificate. - * + * * @throws MOAException if one of the signer certificates specified in the * <code>trustProfile</code> cannot be read from the file * system. @@ -392,7 +385,7 @@ public class XMLSignatureVerificationInvoker { /** * Select the <code>dsig:Signature</code> DOM element within the signature * environment. - * + * * @param signatureEnvironment The signature environment containing the * <code>dsig:Signature</code>. * @param request The <code>VerifyXMLSignatureRequest</code> @@ -425,7 +418,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the supplemental data objects contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param supplements A <code>List</code> of * <code>XMLDataObjectAssociation</code>s containing the * supplement data. @@ -458,7 +451,7 @@ public class XMLSignatureVerificationInvoker { /** * Get the supplemental data contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * supplemental data. * @return A <code>List</code> of <code>XMLDataObjectAssociation</code> objects @@ -490,7 +483,7 @@ public class XMLSignatureVerificationInvoker { /** * Perform additional validations of the * <code>XMLSignatureVerificationResult</code>. - * + * * <p> * In particular, it is verified that: * <ul> @@ -500,7 +493,7 @@ public class XMLSignatureVerificationInvoker { * <li>The hash values of the <code>TransformParameter</code>s are valid.</li> * </ul> * </p> - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * signature to verify. * @param result The result produced by @@ -546,7 +539,7 @@ public class XMLSignatureVerificationInvoker { } if (!found) { - final Integer refIndex = new Integer(refData.getReferenceIndex()); + final Integer refIndex = Integer.valueOf(refData.getReferenceIndex()); final String logMsg = msg.getMessage("invoker.01", new Object[] { refIndex }); failedReferencesList.add(refIndex); @@ -588,8 +581,8 @@ public class XMLSignatureVerificationInvoker { final int[] failedReferences = new int[] { ref.getReferenceIndex() }; final ReferencesCheckResultInfo checkInfo = factory.createReferencesCheckResultInfo(null, failedReferences); - final String logMsg = msg.getMessage("invoker.02", new Object[] { new Integer(ref - .getReferenceIndex()) }); + final String logMsg = msg.getMessage("invoker.02", new Object[] { + Integer.valueOf(ref.getReferenceIndex()) }); Logger.debug(new LogMsg(logMsg)); @@ -605,7 +598,7 @@ public class XMLSignatureVerificationInvoker { * Get all <code>Transform</code>s contained in all the * <code>VerifyTransformsInfoProfile</code>s of the given * <code>ReferenceInfo</code>. - * + * * @param refInfo The <code>ReferenceInfo</code> object containing the * transformations. * @return A <code>List</code> of <code>List</code>s. Each of the @@ -637,7 +630,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the <code>Set</code> of all <code>TransformParameter</code> URIs. - * + * * @param transformParameters The <code>List</code> of * <code>TransformParameter</code>s, as provided to * the verification. @@ -658,7 +651,7 @@ public class XMLSignatureVerificationInvoker { /** * Build a mapping between <code>TransformParameter</code> URIs (a * <code>String</code> and <code>dsig:HashValue</code> (a <code>byte[]</code>). - * + * * @param request The <code>VerifyXMLSignatureRequest</code>. * @return Map The resulting mapping. * @throws MOAApplicationException An error occurred accessing one of the @@ -703,7 +696,7 @@ public class XMLSignatureVerificationInvoker { * Filter the <code>ReferenceInfo</code>s returned by the * <code>VerifyXMLSignatureResult</code> for comparison with the * <code>ReferenceInfo</code> elements in the request. - * + * * @param referenceInfos The <code>ReferenceInfo</code>s from the * <code>VerifyXMLSignatureResult</code>. * @return A <code>List</code> of all <code>ReferenceInfo</code>s whose type is diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java index 335bf68..a60590d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.spss.server.transaction; -import javax.activation.DataSource; +import jakarta.activation.DataSource; public interface DeleteableDataSource extends DataSource { void delete(); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java index 5746657..06326a0 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java @@ -33,14 +33,13 @@ import java.util.Iterator; import java.util.Map.Entry; import java.util.Vector; -import javax.activation.DataSource; - import org.w3c.dom.Element; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moaspss.logging.Logger; import iaik.xml.crypto.utils.URI; +import jakarta.activation.DataSource; /** * Contains information about the current request. @@ -310,7 +309,7 @@ public class TransactionContext { } // not available in Axis 1.0 to 1.1 // File f = mmds.getDiskCacheFile(); -// if (f!=null) f.delete(); +// if (f!=null) f.delete(); if (mmds instanceof DeleteableDataSource) { ((DeleteableDataSource) mmds).delete(); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java index d75240e..0336834 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java @@ -3,7 +3,6 @@ package at.gv.egovernment.moa.spss.tsl; import at.gv.egovernment.moa.sig.tsl.TslClientFactory; import at.gv.egovernment.moa.sig.tsl.api.ITslService; import at.gv.egovernment.moa.sig.tsl.config.TslConfigurationImpl; -import at.gv.egovernment.moa.sig.tsl.exception.TslException; import at.gv.egovernment.moa.sig.tsl.pki.chaining.ChainingTrustStoreHandler; import at.gv.egovernment.moa.spss.server.monitoring.ServiceStatusContainer; import at.gv.egovernment.moa.spss.util.MessageProvider; @@ -16,7 +15,7 @@ public class TSLServiceFactory { private static ITslService tslClient = null; private static TslConfigurationImpl interalConfig; - public static void initialize(TslConfigurationImpl config) { + public static synchronized void initialize(TslConfigurationImpl config) { if (tslClient == null) { try { interalConfig = config; @@ -28,7 +27,7 @@ public class TSLServiceFactory { ServiceStatusContainer.setStatus(true); ServiceStatusContainer.setStatusMsg(ServiceStatusContainer.STATUS_OK); - } catch (final TslException e) { + } catch (final Exception e) { Logger.fatal(new LogMsg(MessageProvider.getInstance().getMessage("init.05", new Object[] { e .getMessage() })), e); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java index 8e37b1c..8dd2a8b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java @@ -21,8 +21,8 @@ import iaik.server.modules.resultcodes.ResultCodeValid; public class AdESResultUtils { - private static final int MAJORRESULTCODESKIPPED = new Integer(3); - private static final int MAJORRESULTCODEERROR = new Integer(4); + private static final int MAJORRESULTCODESKIPPED = Integer.valueOf(3); + private static final int MAJORRESULTCODEERROR = Integer.valueOf(4); public static Integer getResultCode(Integer adesCode) { return adesCode; @@ -114,9 +114,9 @@ public class AdESResultUtils { minorInfo = "UNKNOWN_SUBFILTER"; } else if (resultCode.getCode().equals(ResultCode.CODE_NO_SIGNER_CERTIFICATE_FOUND)) { minorInfo = "NO_SIGNER_CERTIFICATE_FOUND"; - - - + + + // pdf-as 3.x detection is removed from MOA-SP since 3.1.2 } else if (resultCode.getCode().equals(ResultCode.PDF_AS_SIGNATURE)) { // minorInfo = "PDF_AS_SIGNATURE"; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java index b7580ac..35dca16 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -204,7 +204,6 @@ public class CertificateUtils { // QC evaluation flags boolean qc = false; boolean qcSourceTSL = false; - boolean qcDisallowedFromTSL = false; // SSCD/QSCD evaluation flags boolean sscd = false; @@ -254,7 +253,6 @@ public class CertificateUtils { TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) { qc = false; qcSourceTSL = false; - qcDisallowedFromTSL = true; Logger.info("TSL mark this certificate explicitly as 'NotQualified'!"); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index be40a9e..221c361 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -47,7 +47,7 @@ public class ExternalURIVerifier { }
} else {
// check host and port
- final int iport = new Integer(bport).intValue();
+ final int iport = Integer.valueOf(bport).intValue();
if (ip.startsWith(bhost) && iport == port) {
Logger.debug(new LogMsg("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port
+ " blacklisted"));
@@ -75,7 +75,7 @@ public class ExternalURIVerifier { }
} else {
// check host and port
- final int iport = new Integer(bport).intValue();
+ final int iport = Integer.valueOf(bport).intValue();
if (ip.startsWith(bhost) && iport == port) {
Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port
+ " whitelisted"));
|