diff options
Diffstat (limited to 'moaSig/moa-sig-lib/src')
37 files changed, 813 insertions, 399 deletions
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index d0be7d5..5d378ce 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -316,7 +316,7 @@ public abstract class SPSSFactory { * @param profileID The profile ID to resolve during signature creation. * @return The <code>CreateSignatureEnvironmentProfile</code> containing the * given profile ID. - * + * * @pre profileID != null && profileID.length() > 0 * @post return != null */ @@ -398,8 +398,7 @@ public abstract class SPSSFactory { /** * Create a new <code>SignatureEnvironmentResponse</code> object. * - * @param signatureEnvironment The signature environment containing the - * signature. + * @param base64value Signature as Base64 encoded data * @return The <code>SignatureEnvironmentResponse</code> containing the * <code>signatureEnvironment</code>. * @@ -959,15 +958,15 @@ public abstract class SPSSFactory { /** * Create a new <code>Content</code> object containing location reference data. - * + * * @param locationReferenceURI a URI pointing to the actual remote location of * the content. - * + * * @param referenceURI An URI identifying the data. May be * <code>null</code>. - * + * * @return The <code>Content</code> object containing the data. - * + * * @pre locationReferenceURI != null * @post return != null */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java index 3d5279f..ab73c22 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/CreateSignatureEnvironmentProfileExplicitImpl.java @@ -32,7 +32,7 @@ import at.gv.egovernment.moa.spss.api.xmlsign.CreateSignatureLocation; /** * Default implementation of - * <codeCreateSignatureEnvironmentProfileExplicit</code>. + * <code>CreateSignatureEnvironmentProfileExplicit</code>. * * @author Patrick Peck * @version $Id$ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java index d1eebca..ed6f449 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyTransformsDataImpl.java @@ -30,7 +30,7 @@ import java.util.List; import at.gv.egovernment.moa.spss.api.xmlverify.ReferenceInfo; /** - * Default implementation of <codeReferenceInfo</code>. + * Default implementation of <code>ReferenceInfo</code>. * * @author Fatemeh Philippi * @version $Id$ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java index 173ecbf..571977e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/RequestParserUtils.java @@ -62,7 +62,7 @@ public class RequestParserUtils { /** * Parse a <code>XMLDataObjectAssociationType</code> kind of DOM element. - * + * * @param assocElem The <code>XMLDataObjectAssociationType</code> kind of DOM * elmeent to parse. * @return The <code>XMLDataObjectAssociation</code> API object containing the @@ -79,7 +79,7 @@ public class RequestParserUtils { /** * Parse a <code>MetaInfoType</code> kind of DOM element. - * + * * @param metaInfoElem The <code>MetaInfoType</code> kind of DOM element. * @return The <code>MetaInfo</code> API object containing the data from the * <code>metaInfoElem</code>. @@ -97,7 +97,7 @@ public class RequestParserUtils { /** * Parse a <code>ContentOptionalRefType</code> or * <code>ContentRequiredRefType</code> kind of DOM element. - * + * * @param contentParentElem The DOM element being the parent of the content * element. * @return The <code>Content</code> API object containing the data from the @@ -127,7 +127,7 @@ public class RequestParserUtils { /** * Get the signing time from a Verfiy(CMS|XML)SignatureRequest. - * + * * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> DOM * element. * @param dateTimeXPath The XPath to lookup the <code>DateTime</code> element @@ -162,11 +162,12 @@ public class RequestParserUtils { /** * Get the signing time from a Verfiy(CMS|XML)SignatureRequest. - * - * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> DOM - * element. - * @param dateTimeXPath The XPath to lookup the <code>DateTime</code> element - * within the request. + * + * @param requestElem A <code>Verify(CMS|XML)SignatureRequest</code> + * DOM element. + * @param extendedValidationXPath The XPath to lookup the <code>DateTime</code> + * element within the request. + * @param defaultValue Default value if XPath value is null or empty * @return Date The date and time corresponding to the <code>DateTime</code> * element in the request. If no <code>DateTime</code> element exists in * the request, <code>null</code> is returned. diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index 1156aa1..daf3802 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -499,7 +499,7 @@ public class ResponseBuilderUtils { * element. * @param elementName The name of the newly created element. * @param code The content of the <code>Code</code> subelement. - * @param info The content of the <code>Info</code> subelement. + * @param name The content of the <code>Info</code> subelement. */ public static void addFormCheckElement( Document response, diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java index 7a246d6..beb1c15 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/TransformParser.java @@ -23,11 +23,14 @@ package at.gv.egovernment.moa.spss.api.xmlbind; +import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.StringTokenizer; +import javax.xml.transform.TransformerException; + import org.w3c.dom.Element; import org.w3c.dom.traversal.NodeIterator; @@ -42,6 +45,7 @@ import at.gv.egovernment.moa.spss.api.common.XPathFilter; import at.gv.egovernment.moa.spss.api.common.XPathFilter2Transform; import at.gv.egovernment.moa.spss.api.common.XPathTransform; import at.gv.egovernment.moa.spss.api.common.XSLTTransform; +import at.gv.egovernment.moaspss.logging.Logger; import at.gv.egovernment.moaspss.util.Constants; import at.gv.egovernment.moaspss.util.DOMUtils; import at.gv.egovernment.moaspss.util.XPathUtils; @@ -137,6 +141,13 @@ public class TransformParser { } else if (XSLTTransform.XSLT.equals(algorithmUri)) { return parseXSLTTransform(transformElem); } else { + try { + Logger.info("Find suspect XML transformation: " + DOMUtils.serializeNode(transformElem)); + + } catch (TransformerException | IOException e) { + Logger.warn("Can not serialize suspect XML transformation", e); + + } throw new MOAApplicationException("1108", new Object[] { algorithmUri }); } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java index bcab978..1279d73 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyCMSSignatureRequestParser.java @@ -171,7 +171,7 @@ public class VerifyCMSSignatureRequestParser { // put the signatories into a List while (tokenizer.hasMoreTokens()) { try { - signatoriesList.add(new Integer(tokenizer.nextToken())); + signatoriesList.add(Integer.valueOf(tokenizer.nextToken())); } catch (final NumberFormatException e) { // this cannot occur if the request has been validated } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java index bf11240..0f1a57d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/CRLDistributionPoint.java @@ -50,18 +50,19 @@ public class CRLDistributionPoint extends DistributionPoint implements // create the mapping between reason code strings and their integer // values - RC_MAPPING.put("unused", new Integer(iaik.asn1.structures.DistributionPoint.unused)); - RC_MAPPING.put("keyCompromise", new Integer(iaik.asn1.structures.DistributionPoint.keyCompromise)); - RC_MAPPING.put("cACompromise", new Integer(iaik.asn1.structures.DistributionPoint.cACompromise)); - RC_MAPPING.put("affiliationChanged", new Integer( + RC_MAPPING.put("unused", Integer.valueOf(iaik.asn1.structures.DistributionPoint.unused)); + RC_MAPPING.put("keyCompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.keyCompromise)); + RC_MAPPING.put("cACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.cACompromise)); + RC_MAPPING.put("affiliationChanged", Integer.valueOf( iaik.asn1.structures.DistributionPoint.affiliationChanged)); - RC_MAPPING.put("superseded", new Integer(iaik.asn1.structures.DistributionPoint.superseded)); + RC_MAPPING.put("superseded", Integer.valueOf(iaik.asn1.structures.DistributionPoint.superseded)); RC_MAPPING.put("cessationOfOperation", - new Integer(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); - RC_MAPPING.put("certificateHold", new Integer(iaik.asn1.structures.DistributionPoint.certificateHold)); - RC_MAPPING.put("privilegeWithdrawn", new Integer( + Integer.valueOf(iaik.asn1.structures.DistributionPoint.cessationOfOperation)); + RC_MAPPING.put("certificateHold", Integer.valueOf( + iaik.asn1.structures.DistributionPoint.certificateHold)); + RC_MAPPING.put("privilegeWithdrawn", Integer.valueOf( iaik.asn1.structures.DistributionPoint.privilegeWithdrawn)); - RC_MAPPING.put("aACompromise", new Integer(iaik.asn1.structures.DistributionPoint.aACompromise)); + RC_MAPPING.put("aACompromise", Integer.valueOf(iaik.asn1.structures.DistributionPoint.aACompromise)); } /** @@ -76,12 +77,12 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Create a <code>CRLDistributionPoint</code>. - * + * * @param issuerName The name of the CA issuing the CRL referred to by this * DP. - * + * * @param uri The URI of the distribution point. - * + * * @param reasonCodeStr A list of reason codes (a space-separated enumeration). */ public CRLDistributionPoint(String issuerName, String uri, String reasonCodeStr) { @@ -101,7 +102,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Convert a list of reason codes provided as a <code>String</code> to a binary * representation. - * + * * @param reasonCodeStr A <code>String</code> containing a blank-separated, * textual representation of reason codes. * @return int A binary representation of reason codes. @@ -143,7 +144,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a binary representation of the reason codes of this distribution * point. - * + * * @return The binary representation of the reason codes. */ @Override @@ -153,7 +154,7 @@ public class CRLDistributionPoint extends DistributionPoint implements /** * Return a <code>String</code> representation of this distribution point. - * + * * @return The <code>String</code> representation of this distribution point. * @see java.lang.Object#toString() */ @@ -163,7 +164,7 @@ public class CRLDistributionPoint extends DistributionPoint implements } /** - * @see iaik.pki.revocation.CRLDistributionPoint#getIssuerName() + * Get CRL issuer-name. */ public String getIssuerName() { return issuerName_; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index 5f8b46d..09ec921 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -48,8 +48,10 @@ import org.w3c.dom.Element; import org.w3c.dom.traversal.NodeIterator; import org.xml.sax.SAXException; +import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.api.common.TSLConfiguration; import at.gv.egovernment.moa.spss.api.impl.TSLConfigurationImpl; +import at.gv.egovernment.moa.spss.api.xmlbind.ProfileParser; import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moaspss.logging.LogMsg; import at.gv.egovernment.moaspss.logging.Logger; @@ -58,7 +60,6 @@ import at.gv.egovernment.moaspss.util.DOMUtils; import at.gv.egovernment.moaspss.util.MiscUtil; import at.gv.egovernment.moaspss.util.StringUtils; import at.gv.egovernment.moaspss.util.XPathUtils; -import iaik.asn1.structures.Name; //import iaik.ixsil.exceptions.URIException; //import iaik.ixsil.util.URI; import iaik.pki.pathvalidation.ChainingModes; @@ -96,7 +97,7 @@ public class ConfigurationPartsBuilder { private static final int SHORT_TIME_CERT_DEFAULT_INTERVAL = 0; private static final boolean SHORT_TIME_CERT_DEFAULT_ETSI = true; - + // // XPath expressions to select certain parts of the configuration // @@ -153,6 +154,11 @@ public class ConfigurationPartsBuilder { private static final String KEYGROUP_MAPPING_XPATH = ROOT + CONF + "SignatureCreation/" + CONF + "KeyGroupMapping"; + + private static final String SIGN_PARAMS_XPATH = + ROOT + CONF + "SignatureCreation/" + + CONF + "Signing"; + private static final String ISSUER_XPATH = DSIG + "X509IssuerName"; private static final String SERIAL_XPATH = @@ -176,6 +182,10 @@ public class ConfigurationPartsBuilder { + CONF + "PathConstruction/" + CONF + "AutoAddEECertificates"; + private static final String STRICT_SIGNATURE_VALUE_PARSING_XPATH_ = + ROOT + CONF + "SignatureVerification/" + + CONF + "StrictSignatureValueParsing"; + private static final String USE_AUTHORITY_INFO_ACCESS_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -208,17 +218,17 @@ public class ConfigurationPartsBuilder { + CONF + "RevocationChecking/" + CONF + "CrlRetentionIntervals/" + CONF + "CA"; - + private static final String SHORT_TIME_CERTS_INTERVALS_XPATH = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" + CONF + "RevocationChecking/" + CONF + "ShortTermedCertificates"; - + private static final String SHORT_TIME_CERTS_INTERVALS_CA_XPATH = SHORT_TIME_CERTS_INTERVALS_XPATH + "/" + CONF + "CA"; - + private static final String ENABLE_REVOCATION_CHECKING_XPATH_ = ROOT + CONF + "SignatureVerification/" + CONF + "CertificateValidation/" @@ -437,7 +447,7 @@ public class ConfigurationPartsBuilder { /** * Get the connection timeout to set-up a network connection - * + * * @return timeout in milliseconds [ms] */ public int getConnectionTimeout() { @@ -459,7 +469,7 @@ public class ConfigurationPartsBuilder { return defaultConnectionTimeout * 1000; } - + public int getReadTimeout() { final String connectionTimeout = getElementValue(getConfigElem(), READ_TIMEOUT_XPATH_, "30"); @@ -571,7 +581,7 @@ public class ConfigurationPartsBuilder { entry = new BlackListEntry(host, -1); info("config.34", new Object[] { host }); } else { - entry = new BlackListEntry(host, new Integer(port).intValue()); + entry = new BlackListEntry(host, Integer.valueOf(port).intValue()); info("config.34", new Object[] { host + ":" + port }); } @@ -621,7 +631,7 @@ public class ConfigurationPartsBuilder { entry = new WhiteListEntry(host, -1); info("config.49", new Object[] { host }); } else { - entry = new WhiteListEntry(host, new Integer(port).intValue()); + entry = new WhiteListEntry(host, Integer.valueOf(port).intValue()); info("config.49", new Object[] { host + ":" + port }); } @@ -754,9 +764,22 @@ public class ConfigurationPartsBuilder { final String keyGroupDigestMethodAlgorithm = getElementValue(keyGroupElem, CONF + "DigestMethodAlgorithm", null); - final Set keyGroupEntries = - buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); - final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, keyGroupDigestMethodAlgorithm); + final Set keyGroupEntries = buildKeyGroupEntries(keyGroupId, keyModuleIds, keyGroupElem); + + String rsaSsaPssAttr = keyGroupElem.getAttribute("RSASSA-PSS"); + Boolean useRsaSsaPss = null; + if (org.apache.commons.lang3.StringUtils.isNotEmpty(rsaSsaPssAttr)) { + useRsaSsaPss = Boolean.valueOf(keyGroupElem.getAttribute("RSASSA-PSS")); + Logger.info((useRsaSsaPss ? "Enable" : "Disable") + + " RSASSA-PSS as primary signature-algorithm for keyGroup: " + keyGroupId); + + } else { + Logger.debug("RSASSA-PSS is not defined for keyGroup: " + keyGroupId); + + } + + final KeyGroup keyGroup = new KeyGroup(keyGroupId, keyGroupEntries, + keyGroupDigestMethodAlgorithm, useRsaSsaPss); if (keyGroups.containsKey(keyGroupId)) { warn("config.04", new Object[] { "KeyGroup", keyGroupId }); @@ -1082,7 +1105,7 @@ public class ConfigurationPartsBuilder { /** * Build the <code>CreateSignatureEnvironmentProfile</code>s. - * + * * @return The mapping from profile ID to profile. */ public Map buildCreateSignatureEnvironmentProfiles() { @@ -1095,7 +1118,21 @@ public class ConfigurationPartsBuilder { * @return The mapping from profile ID to profile. */ public Map buildVerifyTransformsInfoProfiles() { - return loadProfiles(VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, "VerifyTransformsInfoProfile"); + Map<String, Element> profiles = loadProfiles(VERIFY_TRANSFORMS_INFO_PROFILE_XPATH, "VerifyTransformsInfoProfile"); + + // validate entries + ProfileParser profileParser = new ProfileParser(); + profiles.entrySet().forEach(el -> { + try { + profileParser.parseVerifyTransformsInfoProfile(el.getValue()); + + } catch (MOAApplicationException e) { + Logger.warn("TransformationProfile with Id:" + el.getKey() + " is invalid: " + e.getMessage()); + } + }); + + return profiles; + } /** @@ -1116,8 +1153,8 @@ public class ConfigurationPartsBuilder { * * @return Map The profile ID to profile mapping. */ - private Map loadProfiles(String xpath, String profileRoot) { - final Map profiles = new HashMap(); + private Map<String, Element> loadProfiles(String xpath, String profileRoot) { + final Map<String, Element> profiles = new HashMap<>(); final NodeIterator profileIter = XPathUtils.selectNodeIterator(getConfigElem(), xpath); Element profileElem; @@ -1254,8 +1291,12 @@ public class ConfigurationPartsBuilder { // check if TSL support is enabled final Element eutslElem = (Element) XPathUtils.selectSingleNode(profileElem, CONF + "EUTSL"); boolean tslEnabled = false; + boolean forceTslAvailability = true; + if (eutslElem != null) { tslEnabled = true; + forceTslAvailability = Boolean.valueOf(getAttributeValue( + profileElem, CONF + "EUTSL" + "/@" + "forceAvailability", String.valueOf(true))); } // load TSL configuration @@ -1266,9 +1307,12 @@ public class ConfigurationPartsBuilder { final String allowedTspServiceTypes = getElementValue(profileElem, CONF + "EUTSL" + "/" + CONF + "AllowedTSPServiceTypes", null); + + // create profile configuration final TrustProfile profile = new TrustProfile(id, trustAnchorsLocURI.toString(), signerCertsLocStr, - tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes); + tslEnabled, countries, allowedTspStatus, allowedTspServiceTypes, forceTslAvailability); + trustProfiles.put(id, profile); } @@ -1478,7 +1522,7 @@ public class ConfigurationPartsBuilder { * Returns the JDBC URL for the revocation archive database. * * @return the JDBC URL for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCURL() { @@ -1488,9 +1532,9 @@ public class ConfigurationPartsBuilder { /** * Returns the JDBC driver class name for the revocation archive database. - * + * * @return the JDBC driver class name for the revocation archive database, or - * <code>null</code, if the corresponding parameter is not set in the + * <code>null</code>, if the corresponding parameter is not set in the * configuration. */ public String getRevocationArchiveJDBCDriverClass() { @@ -1576,13 +1620,18 @@ public class ConfigurationPartsBuilder { public boolean getAutoEEAddCertificates() { final String autoAdd = getElementValue(getConfigElem(), AUTO_ADD_EE_CERTIFICATES_XPATH_, null); - if (autoAdd != null) { + if (autoAdd != null) { return Boolean.valueOf(autoAdd).booleanValue(); - + } else { return false; - + } + } + + public boolean isStrictSignatureValueParsingEnabled() { + final String isActive = getElementValue(getConfigElem(), STRICT_SIGNATURE_VALUE_PARSING_XPATH_, "true"); + return Boolean.valueOf(isActive).booleanValue(); } @@ -1731,7 +1780,7 @@ public class ConfigurationPartsBuilder { while ((modElem = (Element) modIter.nextNode()) != null) { final String x509IssuerName = getElementValue(modElem, CONF + "X509IssuerName", null); final String i = getElementValue(modElem, CONF + "Interval", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(ConfigurationProvider.normalizeX500Names(x509IssuerName), interval); } @@ -1739,53 +1788,81 @@ public class ConfigurationPartsBuilder { return map; } - + /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * <p> + * <b>Default: </b> <code>true</code> + * </p> + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isRsaSsaPssEnabled() { + final NodeIterator modIter = XPathUtils.selectNodeIterator( + getConfigElem(), + SIGN_PARAMS_XPATH); + + + Element modElem; + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("RSASSA-PSS")); + Logger.debug((value ? "Enable" : "Disable") + " RSASSA-PSS as primary signature-algorithm for RSA"); + return value; + + } else { + Logger.debug("Enable RSASSA-PSS as primary signature-algorithm for RSA"); + return true; + + } + } + /** * Should ETSI extension should be used for short-time certificate validation. - * + * * @return <code>true</code> if it is used */ public boolean isShotTimeCertEtsiExtCheck() { final NodeIterator modIter = XPathUtils.selectNodeIterator( getConfigElem(), SHORT_TIME_CERTS_INTERVALS_XPATH); - + Element modElem; - if ((modElem = (Element) modIter.nextNode()) != null) { - Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); - Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); + if ((modElem = (Element) modIter.nextNode()) != null) { + Boolean value = Boolean.valueOf(modElem.getAttribute("checkETSIValidityAssuredExtension")); + Logger.debug((value ? "Enable" : "Disable") + "shortTime certificate ETSI extension"); return value; - + } - - return SHORT_TIME_CERT_DEFAULT_ETSI; + + return SHORT_TIME_CERT_DEFAULT_ETSI; } - + + /** * Get default shortTime certificate interval. - * + * * @return Time in minutes */ public int getShotTimeCertDefaultInterval() { final NodeIterator modIter = XPathUtils.selectNodeIterator( getConfigElem(), SHORT_TIME_CERTS_INTERVALS_XPATH); - + Element modElem; if ((modElem = (Element) modIter.nextNode()) != null) { String defaultString = modElem.getAttribute("defaultValidityPeriod"); Logger.debug("Set default shortTimePeriodInterval to: " + defaultString); return Integer.valueOf(defaultString); - + } - - return SHORT_TIME_CERT_DEFAULT_INTERVAL; + + return SHORT_TIME_CERT_DEFAULT_INTERVAL; } - - + + /** * Returns a map of shortTime certificate intervals. - * + * * <p> * No revocation checks are performed during this interval. * </p> @@ -1803,13 +1880,13 @@ public class ConfigurationPartsBuilder { final String x509IssuerName = ConfigurationProvider.normalizeX500Names( getElementValue(modElem, CONF + "X509IssuerName", null)); final String i = getElementValue(modElem, CONF + "ValidityPeriod", null); - final Integer interval = new Integer(i); + final Integer interval = Integer.valueOf(i); map.put(x509IssuerName, interval); Logger.debug("Set shortTimePeriodInterval: " + interval + " for Issuer: " + x509IssuerName); - + } return map; } - + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java index 85930b2..6856e56 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationProvider.java @@ -103,6 +103,9 @@ public class ConfigurationProvider { /** The default canonicalization algorithm name */ private String canonicalizationAlgorithmName; + /** The default of use RSASSA-PSS if supported */ + private boolean useRsaSsaPss; + /** The XAdES version used for signature creation */ private String xadesVersion; @@ -112,6 +115,9 @@ public class ConfigurationProvider { private int connectionTimeout; private int readTimeout; + /** Enable strict parsing or ASN.1 signature values */ + private boolean strictSignatureValueParsing = true; + /** * A <code>List</code> of <code>HardwareCryptoModule</code> objects for * configuring hardware modules. @@ -258,12 +264,12 @@ public class ConfigurationProvider { */ private Map crlRetentionIntervals; - + private boolean useShortTimeCertificateEtisExt; private int defaultShortTimeCertificatePeriod; private Map<String, Integer> shortTimeCertificatePeriods; - - + + /** * Indicates wether external URIs are allowed or not */ @@ -372,6 +378,8 @@ public class ConfigurationProvider { // check TSL configuration checkTSLConfiguration(); + useRsaSsaPss = builder.isRsaSsaPssEnabled(); + digestMethodAlgorithmName = builder.getDigestMethodAlgorithmName(); canonicalizationAlgorithmName = builder.getCanonicalizationAlgorithmName(); @@ -384,13 +392,15 @@ public class ConfigurationProvider { allKeyModules.addAll(softwareKeyModules); keyGroups = builder.buildKeyGroups(allKeyModules); keyGroupMappings = builder.buildKeyGroupMappings(keyGroups, ANONYMOUS_ISSUER_SERIAL); - + this.connectionTimeout = builder.getConnectionTimeout(); Logger.debug("Set 'Connection-Timeout' to " + String.valueOf(this.connectionTimeout) + "[ms]"); - + this.readTimeout = builder.getReadTimeout(); Logger.debug("Set 'Read-Timeout' to " + String.valueOf(this.readTimeout) + "[ms]"); - + + strictSignatureValueParsing = builder.isStrictSignatureValueParsingEnabled(); + pdfAsConfiguration = builder.getPDFASConfiguration(); adesFormResults = builder.getAdesFormResult(); xadesVersion = builder.getXAdESVersion(); @@ -425,7 +435,7 @@ public class ConfigurationProvider { shortTimeCertificatePeriods = builder.getShotTimeCertIntervals(); defaultShortTimeCertificatePeriod = builder.getShotTimeCertDefaultInterval(); useShortTimeCertificateEtisExt = builder.isShotTimeCertEtsiExtCheck(); - + allowExternalUris_ = builder.allowExternalUris(); if (allowExternalUris_) { @@ -551,6 +561,15 @@ public class ConfigurationProvider { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, otherwise false. + */ + public boolean isUseRsaSsaPss() { + return useRsaSsaPss; + } + + /** * Return the XAdES version used for signature creation. * * @return The XAdES version used for signature creation, or an empty @@ -681,7 +700,7 @@ public class ConfigurationProvider { // Entry thisEntry = (Entry) entries.next(); // System.out.println("Entry: " + thisEntry.getKey()); // System.out.println("Value: " + thisEntry.getValue()); -// } +// } mapping = (Map) keyGroupMappings.get(issuerAndSerial); if (mapping != null) { @@ -972,6 +991,19 @@ public class ConfigurationProvider { } /** + * Activates / deactivates strict parsing of ASN.1 encoded signature values. + * + * <p> + * <b>Default:</b> true + * </p> + * + * @return <code>true</code> if enabled, otherwise <code>false</code> + */ + public boolean isStrictSignatureValueParsing() { + return strictSignatureValueParsing; + } + + /** * Returns whether the certificate extension Authority Info Access should be * used during certificate path construction. * @@ -1008,7 +1040,7 @@ public class ConfigurationProvider { public TSLConfiguration getTSLConfiguration() { return tslconfiguration_; } - + public int getDefaultShortTimeCertificatePeriod() { return defaultShortTimeCertificatePeriod; } @@ -1021,20 +1053,20 @@ public class ConfigurationProvider { return shortTimeCertificatePeriods; } - - + + public static final String normalizeX500Names(String x500Name) { try { final RFC2253NameParser parser = new RFC2253NameParser(x500Name); final Name name = parser.parse(); return name.getRFC2253String(); - + } catch (final RFC2253NameParserException e) { Logger.info("X500Name: " + x500Name + " can not be normalized. Use it as it is"); return x500Name; - + } - + } - + }
\ No newline at end of file diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java index faeaf82..fc374ab 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/KeyGroup.java @@ -42,6 +42,9 @@ public class KeyGroup { /** The digest method algorithm for the key group */ private final String digestMethodAlgorithm; + /** Use RSASSA-PSS if supported */ + private final Boolean useRsaSsaPss; + /** * Create a <code>KeyGroup</code>. * @@ -51,9 +54,25 @@ public class KeyGroup { * @param digestMethodAlgorithm The signature algorithm used for this key group */ public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm) { + this(id, keyGroupEntries, digestMethodAlgorithm, true); + + } + + /** + * Create a <code>KeyGroup</code>. + * + * @param id The ID of this <code>KeyGroup</code>. + * @param keyGroupEntries The keys belonging to this + * <code>KeyGroup</code>. + * @param useRsaSsaPss Use RSASSA-PSS if available and supported + * @param digestMethodAlgorithm The signature algorithm used for this key group + */ + public KeyGroup(String id, Set keyGroupEntries, String digestMethodAlgorithm, Boolean useRsaSsaPss) { this.id = id; this.keyGroupEntries = keyGroupEntries; this.digestMethodAlgorithm = digestMethodAlgorithm; + this.useRsaSsaPss = useRsaSsaPss; + } /** @@ -84,6 +103,17 @@ public class KeyGroup { } /** + * Use RSASSA-PSS algorithm if it's supported by Key-Material. + * + * @return <code>true</code> if RSASSA-PSS should be used, <code>false</code> if + * it is disabled, or <code>null</code> if it is undefined + */ + public Boolean isUseRsaSsaPass() { + return useRsaSsaPss; + + } + + /** * Return a <code>String</code> representation of this <code>KeyGroup</code>. * * @return The <code>String</code> representation. @@ -102,7 +132,7 @@ public class KeyGroup { } } return "(KeyGroup - ID:" + id + " " + sb.toString() + ")" + "DigestMethodAlgorithm: " - + digestMethodAlgorithm; + + digestMethodAlgorithm + useRsaSsaPss != null ? ("RSASSA-PSS: " + useRsaSsaPss) : ""; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java index 94155d6..31a2fc5 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/TrustProfile.java @@ -51,6 +51,7 @@ public class TrustProfile { /** Defines if Trustprofile makes use of EU TSL */ private final boolean tslEnabled; + private final boolean forceTslAvailability; /** The countries given */ private final List<String> countries = new ArrayList<>(); @@ -71,13 +72,15 @@ public class TrustProfile { * @param allowedTspStatus */ public TrustProfile(String id, String uri, String signerCertsUri, - boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes) { + boolean tslEnabled, String countries, String allowedTspStatus, String allowedTspServiceTypes, + boolean forceTslAvailability) { this.id = id; this.uri = uri; this.signerCertsUri = signerCertsUri; // TSL configuration parameters this.tslEnabled = tslEnabled; + this.forceTslAvailability = forceTslAvailability; if (tslEnabled) { setCountries(countries); @@ -96,6 +99,9 @@ public class TrustProfile { Logger.info("TrustProfile " + id + " allows " + Arrays.toString(this.allowedTspServiceTypes.toArray()) + " TSL service-type identifier"); + Logger.info("TrustProfile " + id + + (forceTslAvailability ? " enforce" : " not enforce") + " TSL availability"); + } } @@ -202,6 +208,15 @@ public class TrustProfile { } /** + * Indicates of TSL must or should be available. + * + * @return <code>true</code> of TSL must be available + */ + public boolean isForceTslAvailability() { + return forceTslAvailability; + } + + /** * Returns the given countries * * @return Given countries diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java index d660c7a..e5b6025 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/cmssign/CMSSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.cmssign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -63,15 +65,36 @@ public class CMSSignatureCreationProfileImpl /** Digest Method algorithm */ private String digestMethod; private final boolean isPAdESConform; + private final boolean rsaSsaPss; + + public CMSSignatureCreationProfileImpl( + Set keySet, + String digestMethod, + List signedProperties, + boolean securityLayerConform, + boolean includeData, + String mimeType, + boolean isPAdESConform) { + this(keySet, digestMethod, signedProperties, securityLayerConform, includeData, mimeType, + isPAdESConform, true); + + } /** - * Create a new <code>XMLSignatureCreationProfileImpl</code>. + * Creates a CMS based signature-creation profile. * - * @param createProfileCount Provides external information about the number of - * calls to the signature creation module, using the - * same request. - * @param reservedIDs The set of IDs that must not be used while - * generating new IDs. + * @param keySet Set of signing keys + * @param digestMethod Hash algorithm + * @param signedProperties List of signing properties + * @param securityLayerConform If <code>true</code> create a CAdES-B signature, + * otherwise CMS signature + * @param includeData If <code>true</code> create an embedded + * signature, otherwise a detached + * @param mimeType MimeType to be set + * @param isPAdESConform If <code>true</code> signature fulfill PAdES + * requirements + * @param rsaSsaPss If <code>true</code> use RSASSA-PSS algorithms, + * otherwise RSA#1.5 */ public CMSSignatureCreationProfileImpl( Set keySet, @@ -80,7 +103,8 @@ public class CMSSignatureCreationProfileImpl boolean securityLayerConform, boolean includeData, String mimeType, - boolean isPAdESConform) { + boolean isPAdESConform, + boolean rsaSsaPss) { this.keySet = keySet; this.signedProperties = signedProperties; this.securityLayerConform = securityLayerConform; @@ -88,6 +112,7 @@ public class CMSSignatureCreationProfileImpl this.mimeType = mimeType; this.digestMethod = digestMethod; this.isPAdESConform = isPAdESConform; + this.rsaSsaPss = rsaSsaPss; } @@ -131,11 +156,70 @@ public class CMSSignatureCreationProfileImpl null); } + final String selectedSigAlg = selectBestSigAlg(algorithms, selectedKeyID); + Logger.trace("Selecting SigAlg: " + selectedSigAlg); + return selectedSigAlg; + + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() + */ + @Override + public List getSignedProperties() { + return signedProperties; + } + + /** + * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() + */ + @Override + public boolean isSecurityLayerConform() { + return securityLayerConform; + } + + /** + * Sets the security layer conformity. + * + * @param securityLayerConform <code>true</code>, if the created signature is to + * be conform to the Security Layer specification. + */ + public void setSecurityLayerConform(boolean securityLayerConform) { + this.securityLayerConform = securityLayerConform; + } + + public void setDigestMethod(String digestMethod) { + this.digestMethod = digestMethod; + } + + @Override + public String getMimeType() { + return mimeType; + } + + @Override + public boolean includeData() { + return this.includeData; + } + + @Override + public boolean isPAdESConform() { + return this.isPAdESConform; + } + + private String selectBestSigAlg(Set algorithms, KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + Logger.trace("Key: " + selectedKeyID + " supports signingAlgs: " + StringUtils.join(algorithms, ",")); + + // TODO: maybe add support for parameterized RSASSA-PSS + if (digestMethod.compareTo("SHA-1") == 0) { Logger.warn( "SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)"); - if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { + if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA1_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) { return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { @@ -152,7 +236,11 @@ public class CMSSignatureCreationProfileImpl } } else if (digestMethod.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -168,7 +256,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -184,7 +275,10 @@ public class CMSSignatureCreationProfileImpl null); } } else if (digestMethod.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { @@ -205,52 +299,6 @@ public class CMSSignatureCreationProfileImpl null, null); } - - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties() - */ - @Override - public List getSignedProperties() { - return signedProperties; - } - - /** - * @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform() - */ - @Override - public boolean isSecurityLayerConform() { - return securityLayerConform; - } - - /** - * Sets the security layer conformity. - * - * @param securityLayerConform <code>true</code>, if the created signature is to - * be conform to the Security Layer specification. - */ - public void setSecurityLayerConform(boolean securityLayerConform) { - this.securityLayerConform = securityLayerConform; - } - - public void setDigestMethod(String digestMethod) { - this.digestMethod = digestMethod; - } - - @Override - public String getMimeType() { - return mimeType; - } - - @Override - public boolean includeData() { - return this.includeData; - } - - @Override - public boolean isPAdESConform() { - return this.isPAdESConform; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java index d1b776b..befeab7 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/CRLRetriever.java @@ -43,7 +43,6 @@ import iaik.pki.store.revocation.RevocationStoreException; * A customized implementation of * {@link iaik.pki.store.revocation.RevocationInfoRetriever}. Will be used * instead of the default implementation - * {@link iaik.pki.store.revocation.CRLRetriever} to overcome a classloader * problem in connection with the {@link java.net.URL} class in a Tomcat * deployment environment. * diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java index 22cceeb..0e12f89 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/config/DataBaseArchiveParameterImpl.java @@ -28,7 +28,6 @@ import iaik.pki.store.revocation.archive.DataBaseArchiveParameters; /** * An implementation of the <code>DataBaseArchiveParameter</code> interface. * - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter * @author Patrick Peck * @version $Id$ */ @@ -46,9 +45,6 @@ public class DataBaseArchiveParameterImpl implements DataBaseArchiveParameters { this.jDBCUrl = jDBCUrl; } - /** - * @see iaik.pki.store.revocation.archive.db.DataBaseArchiveParameter#getJDBCUrl() - */ @Override public String getJDBCUrl() { return jDBCUrl; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java index a53bce8..f15bbb3 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/PKIProfileImpl.java @@ -65,7 +65,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Create a new <code>PKIProfileImpl</code>. - * + * * @param config The MOA configuration providing configuration data * about certificate path validation. * @param trustProfileID The trust profile ID denoting the location of the trust @@ -83,58 +83,6 @@ public class PKIProfileImpl implements PKIProfile { } - private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { - final TrustProfile tp = config.getTrustProfile(trustProfileId); - if (tp != null) { - // build directory based trust store as default - - if (tp.isTSLEnabled()) { - TslTrustStoreProfile tslTrustStore; - try { - if (!TSLServiceFactory.isInitialized()) { - Logger.error("Can not build TrustProfile:" + trustProfileId - + " Reason: TrustProfile needs TSL support but TSL client NOT initialized."); - throw new TslPKIException("Trust Status-List service client is NOT initialized"); - - } - - // build TSL truststore if enabled - tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile( - tp.getCountries(), - tp.getAllowedTspStatus(), - tp.getAllowedTspServiceTypes(), - trustProfileId + "_TSL"); - - // build Directory based TrustStore - final TrustStoreProfileImpl directoryTrustStore = new TrustStoreProfileImpl(trustProfileId - + "_Directory", tp.getUri()); - - // generate a virtual truststore that concatenates the TSL TrustStore and the - // directory TrustStore - final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( - Arrays.asList(tslTrustStore, directoryTrustStore), - trustProfileId); - - // set this virtual truststore - setTrustStoreProfile(chainedProfile); - - } catch (final TslPKIException e) { - Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); - throw new MOAApplicationException("2900", new Object[] { trustProfileId }); - - } - - } else { - setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); - } - - } else { - throw new MOAApplicationException("2203", new Object[] { trustProfileId }); - - } - - } - /** * @see iaik.pki.PKIProfile#autoAddCertificates() */ @@ -153,7 +101,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>RevocationProfile</code>. - * + * * @param revocationProfile The <code>RevocationProfile</code> used for * revocation checking. */ @@ -171,7 +119,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>TrustStoreProfile</code>. - * + * * @param trustStoreProfile The <code>TrustStoreProfile</code>. */ protected void setTrustStoreProfile(TrustStoreProfile trustStoreProfile) { @@ -188,7 +136,7 @@ public class PKIProfileImpl implements PKIProfile { /** * Sets the <code>ValidationProfile</code>. - * + * * @param validationProfile The <code>ValidationProfile</code> to set. */ protected void setValidationProfile(ValidationProfile validationProfile) { @@ -211,15 +159,15 @@ public class PKIProfileImpl implements PKIProfile { if (config.getAutoAddCertificates()) { if (config.getAutoAddEECertificates()) { return PKIProfile.AUTO_ADD_ENABLE; - + } else { return PKIProfile.AUTO_ADD_EE_DISABLE; - + } } else { return PKIProfile.AUTO_ADD_DISABLE; - + } } @@ -230,4 +178,69 @@ public class PKIProfileImpl implements PKIProfile { return null; } + private void internalTrustProfileBuilder(String trustProfileId) throws MOAApplicationException { + final TrustProfile tp = config.getTrustProfile(trustProfileId); + if (tp != null) { + // build directory based trust store as default + + if (tp.isTSLEnabled()) { + buildTrustStoreWithTslSupport(tp); + + } else { + setTrustStoreProfile(new TrustStoreProfileImpl(trustProfileId, tp.getUri())); + } + + } else { + throw new MOAApplicationException("2203", new Object[] { trustProfileId }); + + } + } + + private void buildTrustStoreWithTslSupport(TrustProfile tp) throws MOAApplicationException { + try { + if (!TSLServiceFactory.isInitialized()) { + if (tp.isForceTslAvailability()) { + Logger.error("Can not build TrustProfile:" + tp.getId() + + " Reason: TrustProfile needs TSL support but TSL client NOT initialized."); + throw new TslPKIException("Trust Status-List service client is NOT initialized"); + + } else { + Logger.warn("Can not fully initialize TrustProfile:" + tp.getId() + + ", because TrustProfile needs TSL support but TSL client NOT initialized. Ignoring TSL support ... "); + setTrustStoreProfile(new TrustStoreProfileImpl(tp.getId(), tp.getUri())); + + } + + } else { + + // build TSL truststore if enabled + TslTrustStoreProfile tslTrustStore = TSLServiceFactory.getTSLServiceClient().buildTrustStoreProfile( + tp.getCountries(), + tp.getAllowedTspStatus(), + tp.getAllowedTspServiceTypes(), + tp.getId() + "_TSL"); + + // build Directory based TrustStore + final TrustStoreProfileImpl directoryTrustStore = + new TrustStoreProfileImpl(tp.getId() + "_Directory", tp.getUri()); + + // generate a virtual truststore that concatenates the TSL TrustStore and the + // directory TrustStore + final ChainingTrustStoreProfile chainedProfile = new ChainingTrustStoreProfile( + Arrays.asList(tslTrustStore, directoryTrustStore), + tp.getId()); + + // set this virtual truststore + setTrustStoreProfile(chainedProfile); + + } + + } catch (final TslPKIException e) { + Logger.error("Virtual TSL based TrustProfile generation FAILED.", e); + throw new MOAApplicationException("2900", new Object[] { tp.getId() }); + + } + + } + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java index 9ef3764..7a036ec 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/pki/store/truststore/TrustStoreProfileImpl.java @@ -60,10 +60,9 @@ public class TrustStoreProfileImpl implements TrustStoreProfile { /** * Create a new <code>TrustStoreProfileImpl</code>. * - * @param config The MOA configuration data, from which trust store - * configuration data is read. - * @param trustProfileId The trust profile id on which this - * <code>TrustStoreProfile</code> is based. + * @param trustProfileId The trust profile id on which this + * <code>TrustStoreProfile</code> is based. + * @param trustProfileUri File path to trust profile * @throws MOAApplicationException The <code>trustProfileId</code> could not be * found in the MOA configuration. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java index 516e3d8..b0fea7f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlsign/XMLSignatureCreationProfileImpl.java @@ -26,6 +26,8 @@ package at.gv.egovernment.moa.spss.server.iaik.xmlsign; import java.util.List; import java.util.Set; +import org.apache.commons.lang3.StringUtils; + import at.gv.egovernment.moa.spss.server.logging.TransactionId; import at.gv.egovernment.moa.spss.server.transaction.TransactionContext; import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager; @@ -76,6 +78,7 @@ public class XMLSignatureCreationProfileImpl private final IdGenerator propertyIDGenerator; /** The selected digest method algorithm if XAdES 1.4.2 is used */ private final String digestMethodXAdES142; + private final boolean rsaSsaPss; /** * Create a new <code>XMLSignatureCreationProfileImpl</code>. @@ -85,11 +88,12 @@ public class XMLSignatureCreationProfileImpl * same request. * @param reservedIDs The set of IDs that must not be used while * generating new IDs. + * @param useRsaSsaPss Use RSASSA-PSS if supported */ public XMLSignatureCreationProfileImpl( int createProfileCount, Set reservedIDs, - String digestMethodXAdES142) { + String digestMethodXAdES142, boolean useRsaSsaPss) { signatureIDGenerator = new IdGenerator("signature-" + createProfileCount, reservedIDs); manifestIDGenerator = @@ -99,6 +103,8 @@ public class XMLSignatureCreationProfileImpl propertyIDGenerator = new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs); this.digestMethodXAdES142 = digestMethodXAdES142; + this.rsaSsaPss = useRsaSsaPss; + } /** @@ -159,6 +165,14 @@ public class XMLSignatureCreationProfileImpl @Override public String getSignatureAlgorithmName(KeyEntryID selectedKeyID) throws AlgorithmUnavailableException { + String sigAlgIdentifier = getInternalSignatureAlgorithmName(selectedKeyID); + Logger.debug("Selected SignatureAlgorithmIdentifier: " + sigAlgIdentifier); + return sigAlgIdentifier; + + } + + private String getInternalSignatureAlgorithmName(KeyEntryID selectedKeyID) + throws AlgorithmUnavailableException { final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); @@ -174,21 +188,35 @@ public class XMLSignatureCreationProfileImpl e, null); } + Logger.trace("RSASSA-PSS: " + rsaSsaPss + " XAdESDigistAlg: " + digestMethodXAdES142 + + " Algorithms: " + StringUtils.join(algorithms, ",")); + // TODO: maybe add support for parameterized RSASSA-PSS if (digestMethodXAdES142 == null) { // XAdES 1.4.2 not enabled - legacy MOA - if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) + if (rsaSsaPss + && (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1))) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA) || algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA) || algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA) || algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA) - || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + || algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA) + || algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + + return SignatureAlgorithms.SHA256_WITH_RSA; - return SignatureAlgorithms.SHA1_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.ECDSA)) { return SignatureAlgorithms.ECDSA; + } else if (algorithms.contains(SignatureAlgorithms.DSA)) { return SignatureAlgorithms.DSA; + } else { throw new AlgorithmUnavailableException( "No algorithm for key entry: " + selectedKeyID, @@ -219,7 +247,10 @@ public class XMLSignatureCreationProfileImpl } } else if (digestMethodXAdES142.compareTo("SHA-256") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA256_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) { return SignatureAlgorithms.SHA256_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) { @@ -235,7 +266,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-384") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA384_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) { return SignatureAlgorithms.SHA384_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) { @@ -251,7 +285,10 @@ public class XMLSignatureCreationProfileImpl null); } } else if (digestMethodXAdES142.compareTo("SHA-512") == 0) { - if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { + if (rsaSsaPss && algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1)) { + return SignatureAlgorithms.SHA512_WITH_RSA_AND_MGF1; + + } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) { return SignatureAlgorithms.SHA512_WITH_RSA; } else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) { diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 9ba731d..d8d99bd 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -47,6 +47,7 @@ import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import at.gv.egovernment.moaspss.util.Constants; import at.gv.egovernment.moaspss.util.DOMUtils; +import iaik.asn1.INTEGER; import iaik.asn1.ObjectID; import iaik.pkcs.pkcs12.PKCS12KeyStore; import iaik.server.ConfigurationData; @@ -61,12 +62,12 @@ import iaik.utils.RFC2253NameParser; public class SystemInitializer { private static final org.slf4j.Logger logger = LoggerFactory.getLogger(SystemInitializer.class); - + /** * 15 min TSL reload scheduler interval. */ private static final long TSL_SCHEDULE_INTERVAL = 5*60*1000; - + /** Interval between archive cleanups in seconds */ private static final long ARCHIVE_CLEANUP_INTERVAL = 60 * 60; // 1h @@ -115,10 +116,10 @@ public class SystemInitializer { RFC2253NameParser.register( "organizationIdentifier", new ObjectID("2.5.4.97", "organizationIdentifier", (String) null, false)); - + // initialize configuration initializeMoaSigConfiguraion(); - + // start the archive cleanup thread Thread archiveCleaner = new Thread(new RevocationArchiveCleaner(ARCHIVE_CLEANUP_INTERVAL)); @@ -149,9 +150,9 @@ public class SystemInitializer { private static void initializeMoaSigConfiguraion() { final MessageProvider msg = MessageProvider.getInstance(); - + try { - + Logger.info("Initialize MOA-SP/SS configuration ... "); config = ConfigurationProvider.getInstance(); @@ -177,12 +178,17 @@ public class SystemInitializer { iaikConfiguration = IaikConfigurator.configure(config); runInitializer(config); - - // set Fallback mode in IAIK KeyStore implementation to 'true' to fix problems default behavior of JVM + + // set Fallback mode in IAIK KeyStore implementation to 'true' to fix problems default behavior of JVM PKCS12KeyStore.setUseJKSFallBack(true); - Logger.info("Set fallback mode in: " + PKCS12KeyStore.class.getSimpleName() + Logger.info("Set fallback mode in: " + PKCS12KeyStore.class.getSimpleName() + " to :" + PKCS12KeyStore.getUseJKSFallBack()); - + + INTEGER.checkForMinumumLengthEncoding(config.isStrictSignatureValueParsing()); + Logger.info(config.isStrictSignatureValueParsing() ? "Enable" + : "Disable" + + " strict parsing of ASN.1 encoded signature values"); + Logger.info(new LogMsg(msg.getMessage("init.01", null))); } catch (final MOAException e) { @@ -193,9 +199,9 @@ public class SystemInitializer { Logger.fatal(new LogMsg(msg.getMessage("init.00", null)), e); throw new RuntimeException(e); - } + } } - + private static void loadXsdSchemaIntoXmlParser() { // parsing/validating try { @@ -221,10 +227,10 @@ public class SystemInitializer { } } catch (final IOException e) { Logger.warn(new LogMsg(MessageProvider.getInstance().getMessage("init.04", null)), e); - - } + + } } - + private static void initTSLUpdateTask(TSLConfiguration tslconfig) { final MessageProvider msg = MessageProvider.getInstance(); if (tslconfig != null) { @@ -254,14 +260,14 @@ public class SystemInitializer { if (start.before(now)) { start = new Date(start.getTime() + 86400000); } - + Logger.debug(new LogMsg(msg.getMessage("config.46", new String[] { start.toString(), "" + period }))); // start TSL updater task final Timer timer = new Timer("TSL_DB_Updater"); - timer.schedule(new TSLUpdaterTimerTask(start, period), + timer.schedule(new TSLUpdaterTimerTask(start, period), new Date(now.getTime() + TSL_SCHEDULE_INTERVAL), TSL_SCHEDULE_INTERVAL); - + } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java index 2e7445e..4ae1866 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureCreationInvoker.java @@ -40,6 +40,7 @@ import java.util.Map; import java.util.Set; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.StringUtils; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.MOAException; @@ -74,6 +75,8 @@ import iaik.server.modules.cmssign.CMSSignatureCreationProfile; import iaik.server.modules.keys.KeyEntryID; import iaik.server.modules.keys.KeyModule; import iaik.server.modules.keys.KeyModuleFactory; +import iaik.xml.crypto.utils.URI; +import iaik.xml.crypto.utils.URIException; /** * A class providing an API based interface to the @@ -190,26 +193,7 @@ public class CMSSignatureCreationInvoker { Logger.debug("PAdES conformity requested. Does not set mimetype into CAdES signature"); } - final CMSContent content = dataobject.getContent(); - InputStream contentIs = null; - // build the content data - switch (content.getContentType()) { - case CMSContent.EXPLICIT_CONTENT: - contentIs = ((CMSContentExcplicit) content).getBinaryContent(); - break; - case CMSContent.REFERENCE_CONTENT: - final String reference = ((CMSContentReference) content).getReference(); - if (!"".equals(reference)) { - final ExternalURIResolver resolver = new ExternalURIResolver(); - contentIs = resolver.resolve(reference); - } else { - throw new MOAApplicationException("2301", null); - } - break; - default: { - throw new MOAApplicationException("2301", null); - } - } + InputStream contentIs = readContentToSign(dataobject.getContent(), context); // create CMSSignatureCreationModuleFactory final CMSSignatureCreationModule module = CMSSignatureCreationModuleFactory.getInstance(); @@ -237,6 +221,7 @@ public class CMSSignatureCreationInvoker { // get digest algorithm final String digestAlgorithm = getDigestAlgorithm(config, keyGroupID); + final boolean useRsaSsaPss = isRsaSsaPssActive(config, keyGroupID); // create CMSSignatureCreation profile: final CMSSignatureCreationProfile profile = new CMSSignatureCreationProfileImpl( @@ -246,7 +231,8 @@ public class CMSSignatureCreationInvoker { isSecurityLayerConform, includeData, mimetype, - isPAdESConformRequired); + isPAdESConformRequired, + useRsaSsaPss); // create CMSSignature from the CMSSignatureCreationModule // build the additionalSignedProperties @@ -291,6 +277,53 @@ public class CMSSignatureCreationInvoker { return responseBuilder.getResponse(); } + private InputStream readContentToSign(CMSContent content, TransactionContext context) + throws MOAApplicationException { + InputStream contentIs = null; + // build the content data + switch (content.getContentType()) { + case CMSContent.EXPLICIT_CONTENT: + contentIs = ((CMSContentExcplicit) content).getBinaryContent(); + break; + + case CMSContent.REFERENCE_CONTENT: + final String reference = ((CMSContentReference) content).getReference(); + if (StringUtils.isNotEmpty(reference) && reference.startsWith("cid:")) { + try { + URI uri = new URI(reference); + Logger.trace("Selecting attachement with Id: " + uri.getPath() + " ..."); + contentIs = context.getAttachmentInputStream(uri); + if (contentIs == null) { + Logger.warn("No attachment with Id: " + reference); + throw new MOAApplicationException("2301", null); + + } + + } catch (URIException e) { + Logger.warn("Can not get attachment with Id: " + reference); + throw new MOAApplicationException("2301", null, e); + + } + + } else if (StringUtils.isNotEmpty(reference)) { + final ExternalURIResolver resolver = new ExternalURIResolver(); + contentIs = resolver.resolve(reference); + + } else { + throw new MOAApplicationException("2301", null); + + } + break; + + default: { + throw new MOAApplicationException("2301", null); + } + } + + return contentIs; + + } + private boolean inRange(BigDecimal counter, CMSDataObject dataobject) { final BigDecimal from = dataobject.getExcludeByteRangeFrom(); final BigDecimal to = dataobject.getExcludeByteRangeTo(); @@ -313,13 +346,23 @@ public class CMSSignatureCreationInvoker { } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + private String getDigestAlgorithm(ConfigurationProvider config, String keyGroupID) throws MOASystemException { // get digest method on key group level (if configured) final String configDigestMethodKG = config.getKeyGroup(keyGroupID).getDigestMethodAlgorithm(); + // get default digest method (if configured) final String configDigestMethod = config.getDigestMethodAlgorithmName(); + String digestMethod = null; if (configDigestMethodKG != null) { // if KG specific digest method is configured diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index e18f957..7aca40e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -86,7 +86,7 @@ public class CMSSignatureVerificationInvoker { /** * Return the only instance of this class. - * + * * @return The only instance of this class. */ public static synchronized CMSSignatureVerificationInvoker getInstance() { @@ -98,7 +98,7 @@ public class CMSSignatureVerificationInvoker { /** * Create a new <code>CMSSignatureVerificationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected CMSSignatureVerificationInvoker() { @@ -106,7 +106,7 @@ public class CMSSignatureVerificationInvoker { /** * Verify a CMS signature. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the CMS * signature, as well as additional data needed for verification. * @return Element A <code>VerifyCMSSignatureResponse</code> containing the @@ -118,7 +118,7 @@ public class CMSSignatureVerificationInvoker { final CMSSignatureVerificationProfileFactory profileFactory = new CMSSignatureVerificationProfileFactory( request); - final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); + final TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); final LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); InputStream signature; @@ -219,7 +219,7 @@ public class CMSSignatureVerificationInvoker { } } - final QCSSCDResult qcsscdresult = new QCSSCDResult(); + final VerifyCMSSignatureResponseBuilder responseBuilder = new VerifyCMSSignatureResponseBuilder(); // build the response: for each signatory add the result to the response signatories = request.getSignatories(); @@ -248,7 +248,7 @@ public class CMSSignatureVerificationInvoker { handlePDFResult(resultObject, responseBuilder, trustProfile); } } catch (final IndexOutOfBoundsException e) { - throw new MOAApplicationException("2249", new Object[] { new Integer(sigIndex) }); + throw new MOAApplicationException("2249", new Object[] { Integer.valueOf(sigIndex) }); } } } @@ -343,8 +343,6 @@ public class CMSSignatureVerificationInvoker { PDFSignatureVerificationResult cmsResult = null; List adesResults = null; boolean extendedVerification = false; - final Boolean coversFullDoc = null; - final int[] sigByteRange = null; ExtendedCertificateCheckResult extCheckResult = null; if (resultObject instanceof ExtendedPDFSignatureVerificationResult) { @@ -404,8 +402,8 @@ public class CMSSignatureVerificationInvoker { i++; } - qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile - .isTSLEnabled(), ConfigurationProvider.getInstance()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), + trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); // get signer certificate issuer country code issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); @@ -421,7 +419,7 @@ public class CMSSignatureVerificationInvoker { /** * Get the signed content contained either in the request itself or given as a * reference to external data. - * + * * @param request The <code>VerifyCMSSignatureRequest</code> containing the * signed content (or the reference to the signed content). * @return InputStream A stream providing the signed content data, or diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java index bc5d884..bca9b8e 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CreateCMSSignatureResponseBuilder.java @@ -69,12 +69,12 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>SignatureEnvironment</code> element to the response. * - * @param signatureEnvironment The content to put under the - * <code>SignatureEnvironment</code> element. This - * should either be a <code>dsig:Signature</code> - * element (in case of a detached signature) or the - * signature environment containing the signature - * (in case of an enveloping signature). + * @param base64value The content to put under the + * <code>SignatureEnvironment</code> element. This should + * either be a <code>dsig:Signature</code> element (in case + * of a detached signature) or the signature environment + * containing the signature (in case of an enveloping + * signature). */ public void addCMSSignature(String base64value) { final CMSSignatureResponse responseElement = @@ -84,7 +84,7 @@ public class CreateCMSSignatureResponseBuilder { /** * Add a <code>ErrorResponse</code> element to the response. - * + * * @param errorCode The error code. * @param info Additional information about the error. */ diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 813d28e..79b4c29 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -74,15 +74,26 @@ public class VerifyCMSSignatureResponseBuilder { /** * Add a verification result to the response. * - * @param result The result to add. - * @param trustprofile The actual trustprofile - * @param checkQCFromTSL <code>true</code>, if the TSL check verifies the - * certificate as qualified, otherwise <code>false</code>. - * @param checkSSCD <code>true</code>, if the TSL check verifies the - * signature based on a SSDC, otherwise - * <code>false</code>. - * @param sscdSourceTSL <code>true</code>, if the SSCD information comes from - * the TSL, otherwise <code>false</code>. + * @param result The result to add. + * @param trustProfile The actual trustprofile + * @param checkQC <code>true</code>, if the TSL check + * verifies the certificate as qualified, + * otherwise <code>false</code>. + * @param qcSourceTSL <true> if QC info comes from the TSL, + * otherwise <code>false</code>. + * @param checkSSCD <code>true</code>, if the TSL check + * verifies the signature based on a SSDC, + * otherwise <code>false</code>. + * @param sscdSourceTSL <code>true</code>, if the SSCD + * information comes from the TSL, + * otherwise <code>false</code>. + * @param issuerCountryCode TSL issuer country + * @param adesResults Form validation results + * @param extendedCertificateCheckResult Extended validation results + * @param tslInfos Full TSL validation result + * @param extendedVerification <code>true</code> if extended + * validation was used, otherwise + * <code>false</code> * @throws MOAException */ public void addResult(CMSSignatureVerificationResult result, TrustProfile trustProfile, boolean checkQC, @@ -150,7 +161,7 @@ public class VerifyCMSSignatureResponseBuilder { } /** - * + * * @param result * @param trustProfile * @param checkQC diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 7e882ed..25ce8d1 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -515,7 +515,7 @@ public class VerifyXMLSignatureResponseBuilder { try { if (refInfo.isHashCalculated() && !refInfo.isHashValid()) { - failedReferencesList.add(new Integer(i + 1)); + failedReferencesList.add(Integer.valueOf(i + 1)); } } catch (final HashUnavailableException e) { // nothing to do here because we called refInfo.isHashCalculated first diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java index c097b0c..46c4983 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureCreationProfileFactory.java @@ -191,8 +191,10 @@ public class XMLSignatureCreationProfileFactory { } } + final XMLSignatureCreationProfileImpl profile = - new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142); + new XMLSignatureCreationProfileImpl(createProfileCount, allReservedIDs, digestMethodXAdES142, + isRsaSsaPssActive(config, keyGroupID)); // build the transformation supplements createTransformsProfiles = @@ -260,6 +262,21 @@ public class XMLSignatureCreationProfileFactory { return profile; } + private boolean isRsaSsaPssActive(ConfigurationProvider config, String keyGroupID) + throws MOASystemException { + final Boolean useRsaSsaPssKg = config.getKeyGroup(keyGroupID).isUseRsaSsaPass(); + final boolean configUseRsaSsaPss = config.isUseRsaSsaPss(); + + Logger.trace("Config using RSASSA-PSS. KeyStore: " + + useRsaSsaPssKg != null + ? useRsaSsaPssKg + : "NOT-DEFINED" + + " Default: " + config); + + return useRsaSsaPssKg != null ? useRsaSsaPssKg : configUseRsaSsaPss; + + } + /** * Get the <code>List</code> of all <code>CreateTransformsInfoProfile</code>s * contained in all the <code>DataObjectInfo</code>s of the given diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index b97cc95..0fb2d82 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -110,34 +110,27 @@ import iaik.xml.crypto.utils.URIException; public class XMLSignatureVerificationInvoker { /** The single instance of this class. */ - private static XMLSignatureVerificationInvoker instance = null; + private static final XMLSignatureVerificationInvoker INSTANCE = new XMLSignatureVerificationInvoker(); - private static Set FILTERED_REF_TYPES; - - static { - FILTERED_REF_TYPES = new HashSet(); - FILTERED_REF_TYPES.add(DsigManifest.XML_DSIG_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD); - FILTERED_REF_TYPES.add(XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties"); - FILTERED_REF_TYPES.add("http://uri.etsi.org/01903#SignedProperties"); - } + private static final Set<String> FILTERED_REF_TYPES = Set.of( + DsigManifest.XML_DSIG_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE, + SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD, + XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties", + "http://uri.etsi.org/01903#SignedProperties"); /** * Get the single instance of this class. - * + * * @return The single instance of this class. */ - public static synchronized XMLSignatureVerificationInvoker getInstance() { - if (instance == null) { - instance = new XMLSignatureVerificationInvoker(); - } - return instance; + public static XMLSignatureVerificationInvoker getInstance() { + return INSTANCE; } /** * Create a new <code>XMLSignatureCreationInvoker</code>. - * + * * Protected to disallow multiple instances. */ protected XMLSignatureVerificationInvoker() { @@ -146,8 +139,8 @@ public class XMLSignatureVerificationInvoker { /** * Process the <code>VerifyXMLSignatureRequest<code> message and invoke the * <code>XMLSignatureVerificationModule</code>. - * - * @param request A <code>VerifyXMLSignatureRequest<code> API object + * + * @param request A <code>VerifyXMLSignatureRequest<code> API object * containing the data for verifying an XML signature. * @return A <code>VerifyXMLSignatureResponse</code> containing the answert * to the <code>VerifyXMLSignatureRequest</code>. MOA schema @@ -307,16 +300,16 @@ public class XMLSignatureVerificationInvoker { /** * Checks if the signer certificate matches one of the allowed signer * certificates specified in the provided <code>trustProfile</code>. - * + * * @param result The result produced by the * <code>XMLSignatureVerificationModule</code>. - * + * * @param trustProfile The trust profile the signer certificate is validated * against. - * + * * @return The overal result of the certificate validation for the signer * certificate. - * + * * @throws MOAException if one of the signer certificates specified in the * <code>trustProfile</code> cannot be read from the file * system. @@ -392,7 +385,7 @@ public class XMLSignatureVerificationInvoker { /** * Select the <code>dsig:Signature</code> DOM element within the signature * environment. - * + * * @param signatureEnvironment The signature environment containing the * <code>dsig:Signature</code>. * @param request The <code>VerifyXMLSignatureRequest</code> @@ -425,7 +418,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the supplemental data objects contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param supplements A <code>List</code> of * <code>XMLDataObjectAssociation</code>s containing the * supplement data. @@ -458,7 +451,7 @@ public class XMLSignatureVerificationInvoker { /** * Get the supplemental data contained in the * <code>VerifyXMLSignatureRequest</code>. - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * supplemental data. * @return A <code>List</code> of <code>XMLDataObjectAssociation</code> objects @@ -490,7 +483,7 @@ public class XMLSignatureVerificationInvoker { /** * Perform additional validations of the * <code>XMLSignatureVerificationResult</code>. - * + * * <p> * In particular, it is verified that: * <ul> @@ -500,7 +493,7 @@ public class XMLSignatureVerificationInvoker { * <li>The hash values of the <code>TransformParameter</code>s are valid.</li> * </ul> * </p> - * + * * @param request The <code>VerifyXMLSignatureRequest</code> containing the * signature to verify. * @param result The result produced by @@ -546,7 +539,7 @@ public class XMLSignatureVerificationInvoker { } if (!found) { - final Integer refIndex = new Integer(refData.getReferenceIndex()); + final Integer refIndex = Integer.valueOf(refData.getReferenceIndex()); final String logMsg = msg.getMessage("invoker.01", new Object[] { refIndex }); failedReferencesList.add(refIndex); @@ -588,8 +581,8 @@ public class XMLSignatureVerificationInvoker { final int[] failedReferences = new int[] { ref.getReferenceIndex() }; final ReferencesCheckResultInfo checkInfo = factory.createReferencesCheckResultInfo(null, failedReferences); - final String logMsg = msg.getMessage("invoker.02", new Object[] { new Integer(ref - .getReferenceIndex()) }); + final String logMsg = msg.getMessage("invoker.02", new Object[] { + Integer.valueOf(ref.getReferenceIndex()) }); Logger.debug(new LogMsg(logMsg)); @@ -605,7 +598,7 @@ public class XMLSignatureVerificationInvoker { * Get all <code>Transform</code>s contained in all the * <code>VerifyTransformsInfoProfile</code>s of the given * <code>ReferenceInfo</code>. - * + * * @param refInfo The <code>ReferenceInfo</code> object containing the * transformations. * @return A <code>List</code> of <code>List</code>s. Each of the @@ -637,7 +630,7 @@ public class XMLSignatureVerificationInvoker { /** * Build the <code>Set</code> of all <code>TransformParameter</code> URIs. - * + * * @param transformParameters The <code>List</code> of * <code>TransformParameter</code>s, as provided to * the verification. @@ -658,7 +651,7 @@ public class XMLSignatureVerificationInvoker { /** * Build a mapping between <code>TransformParameter</code> URIs (a * <code>String</code> and <code>dsig:HashValue</code> (a <code>byte[]</code>). - * + * * @param request The <code>VerifyXMLSignatureRequest</code>. * @return Map The resulting mapping. * @throws MOAApplicationException An error occurred accessing one of the @@ -703,7 +696,7 @@ public class XMLSignatureVerificationInvoker { * Filter the <code>ReferenceInfo</code>s returned by the * <code>VerifyXMLSignatureResult</code> for comparison with the * <code>ReferenceInfo</code> elements in the request. - * + * * @param referenceInfos The <code>ReferenceInfo</code>s from the * <code>VerifyXMLSignatureResult</code>. * @return A <code>List</code> of all <code>ReferenceInfo</code>s whose type is diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java index 335bf68..a60590d 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/DeleteableDataSource.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.spss.server.transaction; -import javax.activation.DataSource; +import jakarta.activation.DataSource; public interface DeleteableDataSource extends DataSource { void delete(); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java index 5746657..06326a0 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/transaction/TransactionContext.java @@ -33,14 +33,13 @@ import java.util.Iterator; import java.util.Map.Entry; import java.util.Vector; -import javax.activation.DataSource; - import org.w3c.dom.Element; import at.gv.egovernment.moa.spss.MOAApplicationException; import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moaspss.logging.Logger; import iaik.xml.crypto.utils.URI; +import jakarta.activation.DataSource; /** * Contains information about the current request. @@ -310,7 +309,7 @@ public class TransactionContext { } // not available in Axis 1.0 to 1.1 // File f = mmds.getDiskCacheFile(); -// if (f!=null) f.delete(); +// if (f!=null) f.delete(); if (mmds instanceof DeleteableDataSource) { ((DeleteableDataSource) mmds).delete(); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java index d75240e..0336834 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/tsl/TSLServiceFactory.java @@ -3,7 +3,6 @@ package at.gv.egovernment.moa.spss.tsl; import at.gv.egovernment.moa.sig.tsl.TslClientFactory; import at.gv.egovernment.moa.sig.tsl.api.ITslService; import at.gv.egovernment.moa.sig.tsl.config.TslConfigurationImpl; -import at.gv.egovernment.moa.sig.tsl.exception.TslException; import at.gv.egovernment.moa.sig.tsl.pki.chaining.ChainingTrustStoreHandler; import at.gv.egovernment.moa.spss.server.monitoring.ServiceStatusContainer; import at.gv.egovernment.moa.spss.util.MessageProvider; @@ -16,7 +15,7 @@ public class TSLServiceFactory { private static ITslService tslClient = null; private static TslConfigurationImpl interalConfig; - public static void initialize(TslConfigurationImpl config) { + public static synchronized void initialize(TslConfigurationImpl config) { if (tslClient == null) { try { interalConfig = config; @@ -28,7 +27,7 @@ public class TSLServiceFactory { ServiceStatusContainer.setStatus(true); ServiceStatusContainer.setStatusMsg(ServiceStatusContainer.STATUS_OK); - } catch (final TslException e) { + } catch (final Exception e) { Logger.fatal(new LogMsg(MessageProvider.getInstance().getMessage("init.05", new Object[] { e .getMessage() })), e); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java index 8e37b1c..8dd2a8b 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/AdESResultUtils.java @@ -21,8 +21,8 @@ import iaik.server.modules.resultcodes.ResultCodeValid; public class AdESResultUtils { - private static final int MAJORRESULTCODESKIPPED = new Integer(3); - private static final int MAJORRESULTCODEERROR = new Integer(4); + private static final int MAJORRESULTCODESKIPPED = Integer.valueOf(3); + private static final int MAJORRESULTCODEERROR = Integer.valueOf(4); public static Integer getResultCode(Integer adesCode) { return adesCode; @@ -114,9 +114,9 @@ public class AdESResultUtils { minorInfo = "UNKNOWN_SUBFILTER"; } else if (resultCode.getCode().equals(ResultCode.CODE_NO_SIGNER_CERTIFICATE_FOUND)) { minorInfo = "NO_SIGNER_CERTIFICATE_FOUND"; - - - + + + // pdf-as 3.x detection is removed from MOA-SP since 3.1.2 } else if (resultCode.getCode().equals(ResultCode.PDF_AS_SIGNATURE)) { // minorInfo = "PDF_AS_SIGNATURE"; diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java index b7580ac..35dca16 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/CertificateUtils.java @@ -204,7 +204,6 @@ public class CertificateUtils { // QC evaluation flags boolean qc = false; boolean qcSourceTSL = false; - boolean qcDisallowedFromTSL = false; // SSCD/QSCD evaluation flags boolean sscd = false; @@ -254,7 +253,6 @@ public class CertificateUtils { TslConstants.SSCD_QUALIFIER_SHORT.NotQualified))) { qc = false; qcSourceTSL = false; - qcDisallowedFromTSL = true; Logger.info("TSL mark this certificate explicitly as 'NotQualified'!"); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java index be40a9e..221c361 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/util/ExternalURIVerifier.java @@ -47,7 +47,7 @@ public class ExternalURIVerifier { }
} else {
// check host and port
- final int iport = new Integer(bport).intValue();
+ final int iport = Integer.valueOf(bport).intValue();
if (ip.startsWith(bhost) && iport == port) {
Logger.debug(new LogMsg("Blacklist check: " + host + ":" + port + " (" + ip + ":" + port
+ " blacklisted"));
@@ -75,7 +75,7 @@ public class ExternalURIVerifier { }
} else {
// check host and port
- final int iport = new Integer(bport).intValue();
+ final int iport = Integer.valueOf(bport).intValue();
if (ip.startsWith(bhost) && iport == port) {
Logger.debug(new LogMsg("Whitelist check: " + host + ":" + port + " (" + ip + ":" + port
+ " whitelisted"));
diff --git a/moaSig/moa-sig-lib/src/main/resources/resources/properties/spss_messages_de.properties b/moaSig/moa-sig-lib/src/main/resources/resources/properties/spss_messages_de.properties index 6971f56..b4bcd84 100644 --- a/moaSig/moa-sig-lib/src/main/resources/resources/properties/spss_messages_de.properties +++ b/moaSig/moa-sig-lib/src/main/resources/resources/properties/spss_messages_de.properties @@ -7,14 +7,14 @@ #
1100=Fehler beim Validieren der Anfrage: {0}
-1101=Bei enveloping Datenobjekten muss entweder Content oder Reference �bergeben werden
+1101=Bei enveloping Datenobjekten muss entweder Content oder Reference übergeben werden
1102=Bei detached Datenobjekten darf das Attribut Reference nicht leer sein
-1103=Ung�ltiger Wert f�r Attribut Structure im Element DataObjectInfo: {0}
-1104=Ung�ltiger Wert f�r DateTime: {0}
-1105=Ung�ltiger Wert f�r Attribut Index in Element CreateSignatureLocation: {0}
+1103=Ungültiger Wert für Attribut Structure im Element DataObjectInfo: {0}
+1104=Ungültiger Wert für DateTime: {0}
+1105=Ungültiger Wert für Attribut Index in Element CreateSignatureLocation: {0}
1106=Interner Fehler beim Parsen der XML-Daten
1107=Kein Kind-Element im Element XMLContent gefunden
-1108=Ung�ltiger Wert f�r dsig:Algorithm: {0}
+1108=Ungültiger Wert für dsig:Algorithm: {0}
1109=XMLContent darf nur ein Kind-Element enthalten
1110=Entweder Content oder Reference muss gesetzt sein
1111=Reference muss gesetzt sein, wenn kein Content angegeben ist
@@ -23,64 +23,64 @@ 2200=Fehler beim Erzeugen der Antwort
2201=Transformations-Algorithmus unbekannt: {0}
-2202=Kein XPath-Element f�r XPath-Transformation gefunden
+2202=Kein XPath-Element für XPath-Transformation gefunden
2203=TrustProfileID unbekannt: {0}
-2207=Ung�ltiges URI-Format: {0}
-2208=Fehler beim �ffnen des Datenobjekts (URI={0})
+2207=Ungültiges URI-Format: {0}
+2208=Fehler beim üffnen des Datenobjekts (URI={0})
2209=Fehler beim Parsen der XML-Daten
2210=Fehler beim Lesen des Datenobjekts
-2211=Referenzierte Daten k�nnen nicht als XML interpretiert werden (URI={0})
+2211=Referenzierte Daten künnen nicht als XML interpretiert werden (URI={0})
2212=Fehler beim Auswerten des XPath-Ausdrucks: {0}
2213=Zugriff auf das Dateisystem verweigert (URI={0})
-2214=Ung�ltiges URL-Format: {0}
-2215=Kein Stylesheet f�r XSLT-Transformation gefunden
-2216=Kein XPath-Filter2 Element f�r XPath-Filter2-Transform gefunden
-2217=Kein InclusiveNamespaces Element f�r Exclusive Canonicalization Transform gefunden
-2218=Das Signature Environment enth�lt keine validen XML-Daten
+2214=Ungültiges URL-Format: {0}
+2215=Kein Stylesheet für XSLT-Transformation gefunden
+2216=Kein XPath-Filter2 Element für XPath-Filter2-Transform gefunden
+2217=Kein InclusiveNamespaces Element für Exclusive Canonicalization Transform gefunden
+2218=Das Signature Environment enthült keine validen XML-Daten
2219=Fehler beim Lesen des Signature Environment
2220=Allgemeiner Fehler beim Erzeugen der Signatur [{0}]
-2221=Fehler bei der Behandlung des Schl�ssels [{0}]
+2221=Fehler bei der Behandlung des Schlüssels [{0}]
2222=Fehler beim Erstellen des Manifests [{0}]
2223=Fehler beim Erstellen der Referenz [{0}]
-2224=Hashwert nicht verf�gbar [{0}]
-2225=Signier-Algorithmus wird nicht unterst�tzt [{0}]
+2224=Hashwert nicht verfügbar [{0}]
+2225=Signier-Algorithmus wird nicht unterstützt [{0}]
2226=Fehler beim Einbetten der Signatur [{0}]
2227=Fehler beim Berechnen des Signaturwertes [{0}]
2228=Fehler beim Behandeln der SignedProperties [{0}]
-2229=Signator-Zertifikat nicht verf�gbar [{0}]
-2230=Fehler beim Aufl�sen eines Supplements [{0}]
-2231=Die Schl�sselgruppe ist nicht verf�gbar
-2232=Die Schl�sselgruppe ist leer
-2233=Fehler beim Durchf�hren der Transformation [{0}]
+2229=Signator-Zertifikat nicht verfügbar [{0}]
+2230=Fehler beim Auflüsen eines Supplements [{0}]
+2231=Die Schlüsselgruppe ist nicht verfügbar
+2232=Die Schlüsselgruppe ist leer
+2233=Fehler beim Durchführen der Transformation [{0}]
2234=CreateTransformsInfoProfileID nicht vorhanden (ID={0})
2235=CreateSignatureEnvironment muss entweder Reference oder Content enthalten
2236=CreateSignatureEnvironmentProfileID nicht vorhanden (ID={0})
-2237=Fehler beim Aufl�sen der internen Referenz (URI={0})
-2238=Fehler beim Aufl�sen des Transformationsparameters (URI={0})
+2237=Fehler beim Auflüsen der internen Referenz (URI={0})
+2238=Fehler beim Auflüsen des Transformationsparameters (URI={0})
2240=Allgemeiner Fehler beim Verifizieren der Signatur [{0}]
-2241=Algorithmus wird nicht unterst�tzt [{0}]
+2241=Algorithmus wird nicht unterstützt [{0}]
2242=Fehler beim Parsen der CMS Signatur [{0}]
-2243=Signator-Zertifikat nicht verf�gbar [{0}]
+2243=Signator-Zertifikat nicht verfügbar [{0}]
2244=Fehler beim Lesen der Signatur-Daten
2245=Fehler beim Codieren des Signator-Zertifikats
2246=Fehler beim Umwandeln des SubjectDN des Signator-Zertifikats nach RFC2253: {0}
2247=Allgemeiner Fehler beim Verifizieren der Signatur [{0}]
2248=Fehler beim Vorbereiten der Daten [{0}]
-2249=Das Attribut Signatories enth�lt einen ung�ltigen Index (Index={0})
+2249=Das Attribut Signatories enthült einen ungültigen Index (Index={0})
2262=Fehler beim Behandeln des Manifests [{0}]
2263=Fehler beim Parsen der Properties [{0}]
2264=Fehler beim Behandeln der Referenz [{0}]
-2265=Fehler beim Durchf�hren der Transformation [{0}]
+2265=Fehler beim Durchführen der Transformation [{0}]
2266=Signatur ist kein dsig:Signature-Element
2267=SupplementProfileID nicht vorhanden (ID={0})
2268=VerifyTransformsInfoProfileID nicht vorhanden (ID={0})
2269=Fehler beim Parsen der Transformation [{0}]
2270=Fehler beim Decodieren des Hash-Wertes
2271=Falsche Anzahl an ReferenceInfo Elementen in SignatureManfestCheckParams
-2280=Die Angabe XMLContent wird derzeit nicht unterst�tzt
+2280=Die Angabe XMLContent wird derzeit nicht unterstützt
2281=XML-Supplement kann nicht serialisiert werden (Reference="{0}")
2282=Datenobjekt mit der URI={0} wurde dem Request nicht bereit gestellt
-2290=Fehler bei der QC bzw. SSCD Pr�fung via TSL
+2290=Fehler bei der QC bzw. SSCD Prüfung via TSL
2300=Fehler bei der Erstellen der CMS Signatur
2301=Fehler beim Lesen des zu signierenden Datenobjekts
@@ -88,12 +88,12 @@ 2900=Interner Server-Fehler
3201=Objekt kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
-3202=Supplement f�r Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
+3202=Supplement für Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
3203=Signaturumgebung kann nicht geladen werden (Reference="{0}", LocRef-URI="{1}")
4001=Externe URI {0} darf nicht geladen werden (externe sind URIs verboten und URI befindet sich nicht auf der Whitelist)
4002=Externe URI {0} befindet sich auf der Blacklist und darf nicht geladen werden
-4003=IP-Adresse f�r {0} konnte nicht ermitteln werden
+4003=IP-Adresse für {0} konnte nicht ermitteln werden
9900=Nicht klassifizierter Fehler in Subsystem
@@ -112,8 +112,8 @@ init.03=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround: SSL ist mögl init.04=Fehler beim Initialisieren des Schema Pools
init.05=Fehler beim Initialisieren der TSL clients. Ursache: {0}
-config.00=Fehler beim Erstellen des KeyGroupMapping: KeyGroup mit id={0} unbekannt - die Erstellung des KeyGroupMapping wird fortgef�hrt
-config.01=Fehler in der Konfiguration: Wert für maximale Archivierungsdauer von Widerrufsinformationen (ArchiveDuration) nicht konfiguriert oder ung�ltig
+config.00=Fehler beim Erstellen des KeyGroupMapping: KeyGroup mit id={0} unbekannt - die Erstellung des KeyGroupMapping wird fortgeführt
+config.01=Fehler in der Konfiguration: Wert für maximale Archivierungsdauer von Widerrufsinformationen (ArchiveDuration) nicht konfiguriert oder ungültig
config.02=Fehler in der Konfiguration: {0} mit id={1}: falscher Profiltyp in Datei {2}
config.03=Fehler in der Konfiguration: {0} mit id={1} konnte nicht geladen werden
config.04=Fehler in der Konfiguration: {0} mit id={1} existiert bereits
@@ -121,12 +121,12 @@ config.05=Umgebungsvariable {0} nicht gesetzt: benutze Default-Konfiguration config.06=Die MOA SP/SS Konfiguration wurde erfolgreich aktualisiert.
config.07=Fehler in der Konfiguration: Reason code {0} unbekannt
config.08=Fehler beim Konfigurieren der IAIK-Module
-config.09=Fehler beim �ffnen der Schl�ssel-Datei {0}
-config.10=Fehler beim Einlesen der Konfiguration (siehe Log-Datei f�r Details)
-config.11=Fehler beim Erstellen der Konfiguration (siehe Log-Datei f�r Details)
+config.09=Fehler beim üffnen der Schlüssel-Datei {0}
+config.10=Fehler beim Einlesen der Konfiguration (siehe Log-Datei für Details)
+config.11=Fehler beim Erstellen der Konfiguration (siehe Log-Datei für Details)
config.12=Fehler beim Einlesen des Profils
-config.13=Fehler beim Erstellen des CRLDistributionPoint: CAIssuerDN={0} ung�ltig
-config.14=Das Attribut {0} f�r das TrustProfile mit id={1} ist ung�ltig (Wert={2})
+config.13=Fehler beim Erstellen des CRLDistributionPoint: CAIssuerDN={0} ungültig
+config.14=Das Attribut {0} für das TrustProfile mit id={1} ist ungültig (Wert={2})
config.15=Fehler beim Erstellen des TrustProfile id={0}: Name des Konfigurations-Verzeichnisses konnte nicht in eine URL umgewandet werden
config.16=Fehler beim Erstellen von X509IssuerSerial (IssuerName={0}, SerialNumber={1})
config.17=DigestAlgorithmName unbekannt (AlgorithmName={0})
@@ -135,14 +135,14 @@ config.19=Key ID={0} config.20=Fehler beim Aktualisieren der MOA SP/SS Konfiguration. Die bestehende Konfiguration wird beibehalten
config.21=Lade Konfiguration von {0}
config.22=Lade {0} mit id={1} von Datei {2}
-config.23=MOA SP/SS Konfiguration: {0} nicht gesetzt oder ung�ltiger Wert, verwende den Default-Wert: {1}
+config.23=MOA SP/SS Konfiguration: {0} nicht gesetzt oder ungültiger Wert, verwende den Default-Wert: {1}
config.25=Fehler in der Konfiguration: Das SoftwareKeyModule mit id={0} konnte nicht geladen werden, da die Datei {1} nicht existiert oder ein Verzeichnis bezeichnet
config.26=Fehler beim Erstellen der KeyGroup mit id={0}: KeyModule mit id={1} unbekannt
config.27=Fehler in der Konfiguration: Das Attribut {0} des TrustProfiles mit id={1} zeigt nicht auf ein existierendes Verzeichnis
config.28=Einen detaillierten Fehlerbericht entnehmen Sie bitte der Log-Datei.
config.29=Es sind folgende leichte Fehler aufgetreten:
-config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schl�ssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden
-config.32=Fehler in der Konfiguration: Verzeichnisangabe f�r den Zertifikatsspeicher ist ung�ltig ({0}).
+config.31=Fehler in der Konfiguration der KeyGroup mit id={0}: Der Schlüssel im KeyModule id={1} mit IssuerName={2} und SerialNumber={3} konnte nicht geladen werden
+config.32=Fehler in der Konfiguration: Verzeichnisangabe für den Zertifikatsspeicher ist ungültig ({0}).
config.33=External URIs are allowed. Maybe a URI blacklist exists.
config.34=Blacklisted URI: {0}.
config.35=External URIs not allowed. Maybe a URI whitelist exists.
@@ -150,7 +150,7 @@ config.36=No blacklisted URIs given. config.37=Fehler beim Erstellen der TSL Konfiguration: Name des TSL Arbeits-Verzeichnisses konnte nicht in eine URL umgewandet werden (Wert="{0}")
config.38=Fehler beim Erstellen der TSL Konfiguration: Das TSL Arbeits-Verzeichnis ist kein Verzeichnis (Wert="{0}")
config.39=TSL Konfguration: Kein Attribut "{0}" angegeben oder Attribut konnte nicht ausgewertet werden. Verwenden Default-Wert ("{1}")
-config.40=Fehler beim Erstellen der TSL Konfiguration: Es wurde mindestens ein TrustProfile mit aktivierter TSL-Unterst�tzung konfiguriert. Die allgemeine TSL-Konfiguration ist jedoch fehlerhaft.
+config.40=Fehler beim Erstellen der TSL Konfiguration: Es wurde mindestens ein TrustProfile mit aktivierter TSL-Unterstützung konfiguriert. Die allgemeine TSL-Konfiguration ist jedoch fehlerhaft.
config.41=Initialisiere TSL Bibliothek
config.42=Start updating TSL enabled truststores
config.43=Update truststore with id "{0}"
@@ -166,19 +166,19 @@ config.52=Fehler beim Einlesen des Profils. Ursache: {0} handler.00=Starte neue Transaktion: TID={0}, Service={1}
handler.01=Aufruf von Adresse={0}
handler.02=Client-Zertifikat: Subject={0}, Serial={1}, Issuer={2}
-handler.03=Client-Zertifikat nicht verf�gbar
+handler.03=Client-Zertifikat nicht verfügbar
handler.04=Anfrage erfolgreich abgearbeitet
handler.05=Fehler beim Abarbeiten der Anfrage
-handler.06=SOAP Attachment mit der id={0} f�r Request hinterlegt (MIME Type des Attachments={1})
+handler.06=SOAP Attachment mit der id={0} für Request hinterlegt (MIME Type des Attachments={1})
handler.07=SOAP Request empfangen: Request={0}
invoker.00=Das Signature Environment konnte nicht validierend geparst werden
invoker.01=Keine passende Transformationskette gefunden (Index={0})
-invoker.02=Der Hashwert der Transformation stimmt nicht �berein (Index={0})
+invoker.02=Der Hashwert der Transformation stimmt nicht überein (Index={0})
invoker.03=Signatorzertifikat aus Trustprofile mit id={0} konnte nicht geparst werden (Dateiname={1})
-tsl.00=Aktulisierung der TSL konnte nicht durchgef�hrt werden. TrustProfile mit aktiviertem TSL-Support stehen nicht zur Verf�gung.
-tsl.01=Fehler bei der QC (qualifiziertes Zertifikat) bzw. SSCD (sichere Signaturerstellungseinheit) �berpr�fung via TSL.
+tsl.00=Aktulisierung der TSL konnte nicht durchgeführt werden. TrustProfile mit aktiviertem TSL-Support stehen nicht zur Verfügung.
+tsl.01=Fehler bei der QC (qualifiziertes Zertifikat) bzw. SSCD (sichere Signaturerstellungseinheit) überprüfung via TSL.
asic.0001=Only CAdES and XAdES signatures in ASiC-S are supported.
asic.0002=Only CAdES and XAdES signatures in ASiC-E are supported.
diff --git a/moaSig/moa-sig-lib/src/test/java/test/at/gv/egovernment/moa/spss/server/config/ProfileParseTest.java b/moaSig/moa-sig-lib/src/test/java/test/at/gv/egovernment/moa/spss/server/config/ProfileParseTest.java new file mode 100644 index 0000000..887772d --- /dev/null +++ b/moaSig/moa-sig-lib/src/test/java/test/at/gv/egovernment/moa/spss/server/config/ProfileParseTest.java @@ -0,0 +1,68 @@ +package test.at.gv.egovernment.moa.spss.server.config; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertThrows; +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.IOException; + +import javax.xml.parsers.ParserConfigurationException; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.BlockJUnit4ClassRunner; +import org.w3c.dom.Element; +import org.xml.sax.SAXException; + +import at.gv.egovernment.moaspss.util.Constants; +import at.gv.egovernment.moaspss.util.DOMUtils; +import at.gv.egovernment.moa.spss.MOAApplicationException; +import at.gv.egovernment.moa.spss.api.xmlbind.ProfileParser; +import at.gv.egovernment.moa.spss.api.xmlverify.VerifyTransformsInfoProfile; + +@RunWith(BlockJUnit4ClassRunner.class) +public class ProfileParseTest { + + @Test + public void xsdTransformationValid() throws SAXException, IOException, ParserConfigurationException, MOAApplicationException { + Element transformation = DOMUtils.parseDocument( + ProfileParseTest.class.getResourceAsStream("/data/SL20_authblock_v1.0.xml"), + true, Constants.ALL_SCHEMA_LOCATIONS, null).getDocumentElement(); + assertNotNull("missing transformation", transformation); + + ProfileParser profileParser = new ProfileParser(); + VerifyTransformsInfoProfile profile = profileParser.parseVerifyTransformsInfoProfile(transformation); + assertNotNull(profile); + + } + + @Test + public void xsdTransformationInvalidAlgorithm() throws SAXException, IOException, ParserConfigurationException { + Element transformation = DOMUtils.parseDocument( + ProfileParseTest.class.getResourceAsStream("/data/SL20_authblock_v1.1_invalid_transformation.xml"), + true, Constants.ALL_SCHEMA_LOCATIONS, null).getDocumentElement(); + assertNotNull("missing transformation", transformation); + + + ProfileParser profileParser = new ProfileParser(); + MOAApplicationException error = assertThrows(MOAApplicationException.class, () -> profileParser.parseVerifyTransformsInfoProfile(transformation)); + assertEquals("1108", error.getMessageId()); + + } + + @Test + public void xsdTransformationInvalidSchema() throws SAXException, IOException, ParserConfigurationException { + Element transformation = DOMUtils.parseDocument( + ProfileParseTest.class.getResourceAsStream("/data/SL20_authblock_v1.0_invalid_schema.xml"), + false, Constants.ALL_SCHEMA_LOCATIONS, null).getDocumentElement(); + assertNotNull("missing transformation", transformation); + + + ProfileParser profileParser = new ProfileParser(); + MOAApplicationException error = assertThrows(MOAApplicationException.class, () -> profileParser.parseVerifyTransformsInfoProfile(transformation)); + assertEquals("1108", error.getMessageId()); + + } + +} diff --git a/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.0.xml b/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.0.xml new file mode 100644 index 0000000..e67b1f5 --- /dev/null +++ b/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.0.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?><VerifyTransformsInfoProfile xmlns="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116"><xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" exclude-result-prefixes="saml2" version="1.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xsl:output method="xml" xml:space="default" /><xsl:template match="/" xmlns="http://www.w3.org/1999/xhtml"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Signatur der Anmeldedaten</title><style media="screen" type="text/css"> + .normalstyle { font-size: medium; } + .italicstyle { font-size: medium; font-style: italic; } + .titlestyle { text-decoration:underline; font-weight:bold; font-size: medium; } + .h4style { font-size: large; } + .hidden {display: none; } + </style></head><body><h4 class="h4style">Anmeldedaten:</h4><p class="titlestyle">Daten zur Person</p><table class="parameters"><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:2.5.4.42']/saml2:AttributeValue)"><tr><td class="italicstyle">Vorname: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:2.5.4.42']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.20']/saml2:AttributeValue)"><tr><td class="italicstyle">Nachname: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.20']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.55']/saml2:AttributeValue)"><tr><td class="italicstyle">Geburtsdatum: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.55']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue"><tr><td class="italicstyle">Vollmacht: </td><td class="normalstyle"><xsl:text>Ich melde mich in Vertretung an. Im nächsten Schritt wird mir eine Liste der für mich verfügbaren Vertretungsverhältnisse angezeigt, aus denen ich eines auswählen werde.</xsl:text></td></tr></xsl:if></table><p class="titlestyle">Daten zur Anwendung</p><table class="parameters"><tr><td class="italicstyle">Identifikator: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderUniqueId']/saml2:AttributeValue" /></td></tr><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderFriendlyName']/saml2:AttributeValue)"><tr><td class="italicstyle">Name: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderFriendlyName']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderCountryCode']/saml2:AttributeValue)"><tr><td class="italicstyle">Staat: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderCountryCode']/saml2:AttributeValue" /></td></tr></xsl:if></table><p class="titlestyle">Technische Parameter</p><table class="parameters"><tr><td class="italicstyle">Datum:</td><td class="normalstyle"><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,9,2)" /><xsl:text>.</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,6,2)" /><xsl:text>.</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,1,4)" /></td></tr><tr><td class="italicstyle">Uhrzeit:</td><td class="normalstyle"><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,12,2)" /><xsl:text>:</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,15,2)" /><xsl:text>:</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,18,2)" /></td></tr><tr><td class="italicstyle">TransaktionsToken: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/@ID" /></td></tr><xsl:if test="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue"><tr><td class="italicstyle"> + Vollmachten-Referenz: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue" /></td></tr></xsl:if><tr class="hidden"><td class="italicstyle">DataURL: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:Conditions/saml2:AudienceRestriction/saml2:Audience" /></td></tr><xsl:if test="/saml2:Assertion/saml2:Conditions/@NotOnOrAfter"><tr class="hidden"><td class="italicstyle">AuthBlockValidTo: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:Conditions/@NotOnOrAfter" /></td></tr></xsl:if></table></body></html></xsl:template></xsl:stylesheet></dsig:Transform><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></dsig:Transforms></VerifyTransformsInfoProfile> diff --git a/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.0_invalid_schema.xml b/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.0_invalid_schema.xml new file mode 100644 index 0000000..9ec50e8 --- /dev/null +++ b/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.0_invalid_schema.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?><VerifyTransformsInfoProfile xmlns="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform><xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" exclude-result-prefixes="saml2" version="1.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xsl:output method="xml" xml:space="default" /><xsl:template match="/" xmlns="http://www.w3.org/1999/xhtml"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Signatur der Anmeldedaten</title><style media="screen" type="text/css"> + .normalstyle { font-size: medium; } + .italicstyle { font-size: medium; font-style: italic; } + .titlestyle { text-decoration:underline; font-weight:bold; font-size: medium; } + .h4style { font-size: large; } + .hidden {display: none; } + </style></head><body><h4 class="h4style">Anmeldedaten:</h4><p class="titlestyle">Daten zur Person</p><table class="parameters"><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:2.5.4.42']/saml2:AttributeValue)"><tr><td class="italicstyle">Vorname: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:2.5.4.42']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.20']/saml2:AttributeValue)"><tr><td class="italicstyle">Nachname: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.20']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.55']/saml2:AttributeValue)"><tr><td class="italicstyle">Geburtsdatum: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.55']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue"><tr><td class="italicstyle">Vollmacht: </td><td class="normalstyle"><xsl:text>Ich melde mich in Vertretung an. Im nächsten Schritt wird mir eine Liste der für mich verfügbaren Vertretungsverhältnisse angezeigt, aus denen ich eines auswählen werde.</xsl:text></td></tr></xsl:if></table><p class="titlestyle">Daten zur Anwendung</p><table class="parameters"><tr><td class="italicstyle">Identifikator: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderUniqueId']/saml2:AttributeValue" /></td></tr><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderFriendlyName']/saml2:AttributeValue)"><tr><td class="italicstyle">Name: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderFriendlyName']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderCountryCode']/saml2:AttributeValue)"><tr><td class="italicstyle">Staat: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderCountryCode']/saml2:AttributeValue" /></td></tr></xsl:if></table><p class="titlestyle">Technische Parameter</p><table class="parameters"><tr><td class="italicstyle">Datum:</td><td class="normalstyle"><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,9,2)" /><xsl:text>.</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,6,2)" /><xsl:text>.</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,1,4)" /></td></tr><tr><td class="italicstyle">Uhrzeit:</td><td class="normalstyle"><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,12,2)" /><xsl:text>:</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,15,2)" /><xsl:text>:</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,18,2)" /></td></tr><tr><td class="italicstyle">TransaktionsToken: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/@ID" /></td></tr><xsl:if test="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue"><tr><td class="italicstyle"> + Vollmachten-Referenz: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue" /></td></tr></xsl:if><tr class="hidden"><td class="italicstyle">DataURL: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:Conditions/saml2:AudienceRestriction/saml2:Audience" /></td></tr><xsl:if test="/saml2:Assertion/saml2:Conditions/@NotOnOrAfter"><tr class="hidden"><td class="italicstyle">AuthBlockValidTo: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:Conditions/@NotOnOrAfter" /></td></tr></xsl:if></table></body></html></xsl:template></xsl:stylesheet></dsig:Transform><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></dsig:Transforms></VerifyTransformsInfoProfile> diff --git a/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.1_invalid_transformation.xml b/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.1_invalid_transformation.xml new file mode 100644 index 0000000..5eb4303 --- /dev/null +++ b/moaSig/moa-sig-lib/src/test/resources/data/SL20_authblock_v1.1_invalid_transformation.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?><VerifyTransformsInfoProfile xmlns="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116-invalid"><xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" exclude-result-prefixes="saml2" version="1.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><xsl:output method="xml" xml:space="default" /><xsl:template match="/" xmlns="http://www.w3.org/1999/xhtml"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Signatur der Anmeldedaten</title><style media="screen" type="text/css"> + .normalstyle { font-size: medium; } + .italicstyle { font-size: medium; font-style: italic; } + .titlestyle { text-decoration:underline; font-weight:bold; font-size: medium; } + .h4style { font-size: large; } + .hidden {display: none; } + </style></head><body><h4 class="h4style">Anmeldedaten:</h4><p class="titlestyle">Daten zur Person</p><table class="parameters"><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:2.5.4.42']/saml2:AttributeValue)"><tr><td class="italicstyle">Vorname: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:2.5.4.42']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.20']/saml2:AttributeValue)"><tr><td class="italicstyle">Nachname: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.20']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.55']/saml2:AttributeValue)"><tr><td class="italicstyle">Geburtsdatum: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.55']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue"><tr><td class="italicstyle">Vollmacht: </td><td class="normalstyle"><xsl:text>Ich melde mich in Vertretung an. Im nächsten Schritt wird mir eine Liste der für mich verfügbaren Vertretungsverhältnisse angezeigt, aus denen ich eines auswählen werde.</xsl:text></td></tr></xsl:if></table><p class="titlestyle">Daten zur Anwendung</p><table class="parameters"><tr><td class="italicstyle">Identifikator: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderUniqueId']/saml2:AttributeValue" /></td></tr><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderFriendlyName']/saml2:AttributeValue)"><tr><td class="italicstyle">Name: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderFriendlyName']/saml2:AttributeValue" /></td></tr></xsl:if><xsl:if test="string(/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderCountryCode']/saml2:AttributeValue)"><tr><td class="italicstyle">Staat: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='http://eid.gv.at/eID/attributes/ServiceProviderCountryCode']/saml2:AttributeValue" /></td></tr></xsl:if></table><p class="titlestyle">Technische Parameter</p><table class="parameters"><tr><td class="italicstyle">Datum:</td><td class="normalstyle"><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,9,2)" /><xsl:text>.</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,6,2)" /><xsl:text>.</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,1,4)" /></td></tr><tr><td class="italicstyle">Uhrzeit:</td><td class="normalstyle"><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,12,2)" /><xsl:text>:</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,15,2)" /><xsl:text>:</xsl:text><xsl:value-of select="substring(/saml2:Assertion/@IssueInstant,18,2)" /></td></tr><tr><td class="italicstyle">TransaktionsToken: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/@ID" /></td></tr><xsl:if test="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue"><tr><td class="italicstyle"> + Vollmachten-Referenz: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name='urn:oid:1.2.40.0.10.2.1.1.261.90']/saml2:AttributeValue" /></td></tr></xsl:if><tr class="hidden"><td class="italicstyle">DataURL: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:Conditions/saml2:AudienceRestriction/saml2:Audience" /></td></tr><xsl:if test="/saml2:Assertion/saml2:Conditions/@NotOnOrAfter"><tr class="hidden"><td class="italicstyle">AuthBlockValidTo: </td><td class="normalstyle"><xsl:value-of select="/saml2:Assertion/saml2:Conditions/@NotOnOrAfter" /></td></tr></xsl:if></table></body></html></xsl:template></xsl:stylesheet></dsig:Transform><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></dsig:Transforms></VerifyTransformsInfoProfile> |