From 8b087b4045eb1bf34a9656801b66f31830da0817 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 25 Jan 2018 15:35:20 +0100
Subject: update iaik_sva.jar and svaconfig.example to solve bug in KeyUsage
 validation

---
 moaSig/build.gradle                             |   2 +-
 moaSig/handbook/conf/moa-spss/svaconfig.example |  67 ++++++++++++++++--------
 moaSig/libs/iaik_sva.jar                        | Bin 125590 -> 128987 bytes
 3 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/moaSig/build.gradle b/moaSig/build.gradle
index fc5633b..ebca605 100644
--- a/moaSig/build.gradle
+++ b/moaSig/build.gradle
@@ -21,7 +21,7 @@ subprojects {
         testCompile 'junit:junit:4.8.2'
     }
 
-    version = '3.1.2-Snapshot'
+    version = '3.1.2.1-Snapshot'
 
     jar { manifest.attributes provider: 'EGIZ', 'Specification-Version': getCheckedOutGitCommitHash(), 'Implementation-Version': project.version  }
 }
diff --git a/moaSig/handbook/conf/moa-spss/svaconfig.example b/moaSig/handbook/conf/moa-spss/svaconfig.example
index f219ea1..7be4541 100644
--- a/moaSig/handbook/conf/moa-spss/svaconfig.example
+++ b/moaSig/handbook/conf/moa-spss/svaconfig.example
@@ -1,5 +1,3 @@
-#Fri Jul 27 14:18:37 CEST 2012
-#
 # Format [key]=[value]
 # 
 # Note that if an '=' is used in a key or value it has to be escaped: "\="
@@ -13,36 +11,36 @@
 #testdir=/data/sigval/incoming/test/
 
 #The basepath for signature validation
-#basepath=
+#basepath=/data/sigval/incoming
 
 ######################################################
 
 #The path prefix for all file system locations
-#pathprefix=/home/afitzek/server/moa-spss/apache-tomcat-8.0.0-RC3/conf/moa-spss/sva/
+pathprefix=/home/user/example/prefix
 
 #The file where the xmldsig core schema is located
-#xmlschemaloc=example/schema/xmldsig-core-schema.xsd
+xmlschemaloc=schema/xmldsig-core-schema.xsd
 
 #The root folder where truststore and certstore are created later on
-#certroot=example/certs
+certroot=certs/example
 
 #The folder containing the trustanchors
-#trustanchorloc=example/keys_and_certs
+trustanchorloc=certs/example/trustanchors
 
 #The folder containing the timestampauthority trustanchors
-#tsttrustanchorloc=example/keys_and_certs
+tsttrustanchorloc=certs/example/tstanchor
 
 #The folder containing alternative revocation information (comment out to use
 #infos contained in the certificate)
-#altdp=
+#altdp=certs/example/revocation
 
 #The maximum age of a revocation information of a end user certificate in hours
-#endusercertgrace=4382
+endusercertgrace=4382
 
 #The maximum age of a revocation information for a ca certificate in hours
-#cacertgrace=4382
+cacertgrace=4382
 
-#tstcoherencetolerance=10
+tstcoherencetolerance=10
 
 #The maximum time difference (in hours) the signing-time property and a 
 #time stamp
@@ -50,25 +48,50 @@
 
 # Defines the forbidden hashing algorithms and the inception date
 # Format: {<algorithm name>, <inception date>};{<algname 2>, <inc date 2>}...
-#hashconstraint={md5, 2000-08-08};{sha1, 2016-08-08}
-
-# Defines the forbidden hashing algorithms for CA Certificates and the inception date
-# Format: {<algorithm name>, <inception date>};{<algname 2>, <inc date 2>}...
-#cahashconstraint={md5,2000-08-08};{sha1, 2012-08-05}
+hashconstraint={md5, 2000-08-08};{sha1, 2013-08-08}
 
 # Defines the minimum required key lengths
 # Format: {<algorithm name>, <min len>,<inception date>};{...}...
-#keylenconstraint={rsa, 1024, 2000-08-08}
+keylenconstraint={rsa, 1024, 2000-08-08}
 
 # Defines the minimum required key lengths for CA Certificates
-# Format: {<algorithm name>, <min len>,<inception date>};{...}..
-#cakeylenconstraint={rsa,512,2000-08-08}
+# Format: {<algorithm name>, <min len>,<inception date>};{...}...
+cakeylenconstraint={rsa,512,2000-08-08}
 
 # Defines the minimum required key lengths for timestamps
 # Format: {<algorithm name>, <min len>,<inception date>};{...}...
-#tstkeylenconstraint={rsa, 1024, 2000-08-08}
+tstkeylenconstraint={rsa, 1024, 2000-08-08}
+
+# Defines the mapping from sub indications to main indications.
+# If a sub indication1 is not present or empty, the default mappings are used.
+# See "Final draft ETSI EN 319 102-1 V1.1.0 (2016-02)"
+# Format: {<sub indication1>, <main indication1>};{...}...
+indicationmapping={FORMAT_FAILURE,INDETERMINATE};{NO_VALID_TIMESTAMPS_FOUND, INDETERMINATE}
 
 # Allows any key usage if set to true, otherwise only dig. signature
 allowanykeyusage=false
 
-chainingmodel=SHELL
+# Defines the chaining model for path validation.
+# possible values are:
+#  - All certificates are valid at validationtime (SHELL model). This is the default value.
+#  - All certificates are valid at the time they were used for issuing a certificate or signing (CHAIN model).
+chainingmodel=shell
+
+# Defines if the validation of each timestap should be added to the validation report.
+# If set to true, the timestamp validation reports will be added. Default value is true.
+timestampreports=true
+
+# defines the bits which HAS TO be set in the key usage field of the 
+# end users certificate. The valid bits (from RFC5280) to set are as follows:
+# (if omitted or empty it defaults to DIGITAL_SIGNATURE):
+#          digitalSignature        (0),
+#          contentCommitment       (1)
+#          dataEncipherment        (3),
+#          keyAgreement            (4),
+#          keyCertSign             (5),
+#          cRLSign                 (6),
+#          encipherOnly            (7),
+#          decipherOnly            (8) 
+
+# Format: {<index of bit to set>; ...}
+keyusage = {0, 1}
\ No newline at end of file
diff --git a/moaSig/libs/iaik_sva.jar b/moaSig/libs/iaik_sva.jar
index 9500d67..9a55178 100644
Binary files a/moaSig/libs/iaik_sva.jar and b/moaSig/libs/iaik_sva.jar differ
-- 
cgit v1.2.3