From aabb36836ebfca9fe8cdc70dff13c0be7e5e761c Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 20 Dec 2016 17:00:45 +0100
Subject: add next missing parts for new TSL lib

---
 .../resources/schemas/MOA-SPSS-config-3.0.0.xsd    | 358 +++++++++++++++++++++
 .../conf/moa-spss/sp.minimum_with_tsl.config.xml   |   6 +-
 moaSig/libs/iaik_tsl-1.1.jar                       | Bin 558269 -> 0 bytes
 .../server/config/ConfigurationPartsBuilder.java   |   5 +-
 .../invoke/VerifyXMLSignatureResponseBuilder.java  |   7 +-
 5 files changed, 370 insertions(+), 6 deletions(-)
 create mode 100644 moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.0.0.xsd
 delete mode 100644 moaSig/libs/iaik_tsl-1.1.jar

diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.0.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.0.0.xsd
new file mode 100644
index 0000000..716f9d4
--- /dev/null
+++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-config-3.0.0.xsd
@@ -0,0 +1,358 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  MOA SP/SS 1.5.1 Configuration Schema
+-->
+<xs:schema xmlns:config="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" elementFormDefault="qualified" attributeFormDefault="unqualified">
+	<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/>
+	<xs:element name="MOAConfiguration">
+		<xs:complexType>
+			<xs:sequence>
+				<xs:element name="Common" minOccurs="0">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="HardwareCryptoModule" minOccurs="0" maxOccurs="unbounded">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name="Name" type="xs:string"/>
+										<xs:element name="SlotId" type="xs:string" minOccurs="0"/>
+										<xs:element name="UserPIN" type="xs:string"/>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+							<xs:element name="PDFASConfig" type="xs:string" minOccurs="0" maxOccurs="1"/>
+							<xs:element name="AdESFormResult" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
+							<xs:choice>
+								<xs:element name="PermitExternalUris" minOccurs="0">
+									<xs:complexType>
+										<xs:sequence minOccurs="0">
+											<xs:element name="BlackListUri" minOccurs="0" maxOccurs="unbounded">
+												<xs:complexType>
+													<xs:sequence>
+														<xs:element name="IP" type="xs:string"/>
+														<xs:element name="Port" type="xs:int" minOccurs="0"/>
+													</xs:sequence>
+												</xs:complexType>
+											</xs:element>
+										</xs:sequence>
+									</xs:complexType>
+								</xs:element>
+								<xs:element name="ForbidExternalUris" minOccurs="0">
+									<xs:complexType>
+										<xs:sequence>
+											<xs:element name="WhiteListUri" minOccurs="0" maxOccurs="unbounded">
+												<xs:complexType>
+													<xs:sequence>
+														<xs:element name="IP" type="xs:string"/>
+														<xs:element name="Port" type="xs:int" minOccurs="0"/>
+													</xs:sequence>
+												</xs:complexType>
+											</xs:element>
+										</xs:sequence>
+									</xs:complexType>
+								</xs:element>
+							</xs:choice>
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+				<xs:element name="SignatureCreation" minOccurs="0">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="KeyModules">
+								<xs:complexType>
+									<xs:choice maxOccurs="unbounded">
+										<xs:element name="HardwareKeyModule">
+											<xs:complexType>
+												<xs:sequence>
+													<xs:element name="Id" type="xs:token"/>
+													<xs:element name="Name" type="xs:string"/>
+													<xs:element name="SlotId" type="xs:string" minOccurs="0"/>
+													<xs:element name="UserPIN" type="xs:string"/>
+												</xs:sequence>
+											</xs:complexType>
+										</xs:element>
+										<xs:element name="SoftwareKeyModule">
+											<xs:complexType>
+												<xs:sequence>
+													<xs:element name="Id" type="xs:token"/>
+													<xs:element name="FileName" type="xs:string"/>
+													<xs:element name="Password" type="xs:string" minOccurs="0"/>
+												</xs:sequence>
+											</xs:complexType>
+										</xs:element>
+									</xs:choice>
+								</xs:complexType>
+							</xs:element>
+							<xs:element name="KeyGroup" maxOccurs="unbounded">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name="Id" type="xs:token"/>
+										<xs:sequence maxOccurs="unbounded">
+											<xs:element name="Key">
+												<xs:complexType>
+													<xs:sequence>
+														<xs:element name="KeyModuleId" type="xs:token"/>
+														<xs:element name="KeyCertIssuerSerial" type="dsig:X509IssuerSerialType"/>
+													</xs:sequence>
+												</xs:complexType>
+											</xs:element>
+										</xs:sequence>
+										<xs:element name="DigestMethodAlgorithm" minOccurs="0"/>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+							<xs:element name="KeyGroupMapping" maxOccurs="unbounded">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name="CustomerId" type="dsig:X509IssuerSerialType" minOccurs="0"/>
+										<xs:element name="KeyGroupId" type="xs:token" maxOccurs="unbounded"/>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+							<xs:element name="XMLDSig">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name="CanonicalizationAlgorithm" type="xs:anyURI" minOccurs="0"/>
+										<xs:element name="DigestMethodAlgorithm" type="xs:anyURI" minOccurs="0"/>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+							<xs:element name="CreateTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="CreateSignatureEnvironmentProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="XAdES" minOccurs="0">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name="Version">
+											<xs:simpleType>
+												<xs:restriction base="xs:token">
+													<xs:enumeration value="1.4.2"/>
+												</xs:restriction>
+											</xs:simpleType>
+										</xs:element>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+				<xs:element name="SignatureVerification" minOccurs="0">
+					<xs:complexType>
+						<xs:sequence>
+							<xs:element name="CertificateValidation">
+								<xs:complexType>
+									<xs:sequence>
+										<xs:element name="ReadTimeout" type="xs:string" minOccurs="0" maxOccurs="1"/>
+										<xs:element name="PathConstruction">
+											<xs:complexType>
+												<xs:sequence>
+													<xs:element name="AutoAddCertificates" type="xs:boolean"/>
+													<xs:element name="UseAuthorityInformationAccess" type="xs:boolean"/>
+													<xs:element name="CertificateStore">
+														<xs:complexType>
+															<xs:choice>
+																<xs:element name="DirectoryStore">
+																	<xs:complexType>
+																		<xs:sequence>
+																			<xs:element name="Location" type="xs:token"/>
+																		</xs:sequence>
+																	</xs:complexType>
+																</xs:element>
+															</xs:choice>
+														</xs:complexType>
+													</xs:element>
+												</xs:sequence>
+											</xs:complexType>
+										</xs:element>
+										<xs:element name="PathValidation">
+											<xs:complexType>
+												<xs:sequence>
+													<xs:element name="ChainingMode">
+														<xs:complexType>
+															<xs:sequence>
+																<xs:element name="DefaultMode" type="config:ChainingModeType"/>
+																<xs:element name="TrustAnchor" minOccurs="0" maxOccurs="unbounded">
+																	<xs:complexType>
+																		<xs:sequence>
+																			<xs:element name="Identification" type="dsig:X509IssuerSerialType"/>
+																			<xs:element name="Mode" type="config:ChainingModeType"/>
+																		</xs:sequence>
+																	</xs:complexType>
+																</xs:element>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													<xs:element name="TrustProfile" minOccurs="0" maxOccurs="unbounded">
+														<xs:complexType>
+															<xs:sequence>
+																<xs:element name="Id" type="xs:token"/>
+																<xs:element name="TrustAnchorsLocation" type="xs:anyURI"/>
+																<xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/>
+																<xs:element name="EUTSL" minOccurs="0">
+																	<xs:complexType>
+																		<xs:sequence>
+																			<xs:element name="CountrySelection" type="xs:string" minOccurs="0"/>
+																			<xs:element name="AllowedTSPStatus" type="xs:string" minOccurs="0"/>
+																			<xs:element name="AllowedTSPServiceTypes" type="xs:string" minOccurs="0"/>
+																		</xs:sequence>
+																	</xs:complexType>
+																</xs:element>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													<!-- 
+													<xs:element name="TSLTrustProfile">
+													<xs:complexType>
+															<xs:sequence>
+																<xs:element name="Id" type="xs:token"/>
+																<xs:element name="TrustAnchorsLocation" type="xs:anyURI"/>
+																<xs:element name="SignerCertsLocation" type="xs:anyURI" minOccurs="0"/>
+																<xs:element name="EUTSL" minOccurs="0">
+																	<xs:complexType>
+																		<xs:sequence>
+																			<xs:element name="CountrySelection" minOccurs="0"/>
+																		</xs:sequence>
+																	</xs:complexType>
+																</xs:element>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													 -->
+												</xs:sequence>
+											</xs:complexType>
+										</xs:element>
+										<xs:element name="RevocationChecking">
+											<xs:complexType>
+												<xs:sequence>
+													<xs:element name="EnableChecking" type="xs:boolean"/>
+													<xs:element name="MaxRevocationAge" type="xs:integer"/>
+													<xs:element name="ServiceOrder" minOccurs="0">
+														<xs:complexType>
+															<xs:sequence maxOccurs="2">
+																<xs:element name="Service">
+																	<xs:simpleType>
+																		<xs:restriction base="xs:token">
+																			<xs:enumeration value="OCSP"/>
+																			<xs:enumeration value="CRL"/>
+																		</xs:restriction>
+																	</xs:simpleType>
+																</xs:element>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													<xs:element name="Archiving">
+														<xs:complexType>
+															<xs:sequence>
+																<xs:element name="EnableArchiving" type="xs:boolean"/>
+																<xs:element name="ArchiveDuration" type="xs:nonNegativeInteger" minOccurs="0"/>
+																<xs:element name="Archive" minOccurs="0">
+																	<xs:complexType>
+																		<xs:choice>
+																			<xs:element name="DatabaseArchive">
+																				<xs:complexType>
+																					<xs:sequence>
+																						<xs:element name="JDBCURL" type="xs:anyURI"/>
+																						<xs:element name="JDBCDriverClassName" type="xs:token"/>
+																					</xs:sequence>
+																				</xs:complexType>
+																			</xs:element>
+																		</xs:choice>
+																	</xs:complexType>
+																</xs:element>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													<xs:element name="DistributionPoint" minOccurs="0" maxOccurs="unbounded">
+														<xs:complexType>
+															<xs:sequence>
+																<xs:element name="CAIssuerDN" type="xs:token"/>
+																<xs:choice maxOccurs="unbounded">
+																	<xs:element name="CRLDP">
+																		<xs:complexType>
+																			<xs:sequence>
+																				<xs:element name="Location" type="xs:anyURI"/>
+																				<xs:element name="ReasonCode" minOccurs="0" maxOccurs="unbounded">
+																					<xs:simpleType>
+																						<xs:restriction base="xs:token">
+																							<xs:enumeration value="unused"/>
+																							<xs:enumeration value="keyCompromise"/>
+																							<xs:enumeration value="cACompromise"/>
+																							<xs:enumeration value="affiliationChanged"/>
+																							<xs:enumeration value="superseded"/>
+																							<xs:enumeration value="cessationOfOperation"/>
+																							<xs:enumeration value="certificateHold"/>
+																							<xs:enumeration value="privilegeWithdrawn"/>
+																							<xs:enumeration value="aACompromise"/>
+																						</xs:restriction>
+																					</xs:simpleType>
+																				</xs:element>
+																			</xs:sequence>
+																		</xs:complexType>
+																	</xs:element>
+																	<xs:element name="OCSPDP">
+																		<xs:complexType>
+																			<xs:sequence>
+																				<xs:element name="Location" type="xs:anyURI"/>
+																			</xs:sequence>
+																		</xs:complexType>
+																	</xs:element>
+																</xs:choice>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													<xs:element name="CrlRetentionIntervals" minOccurs="0">
+														<xs:complexType>
+															<xs:sequence maxOccurs="unbounded">
+																<xs:element name="CA">
+																	<xs:complexType>
+																		<xs:sequence>
+																			<xs:element name="X509IssuerName" type="xs:string"/>
+																			<xs:element name="Interval" type="xs:integer"/>
+																		</xs:sequence>
+																	</xs:complexType>
+																</xs:element>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+												</xs:sequence>
+											</xs:complexType>
+										</xs:element>
+										<xs:element name="TSLConfiguration" minOccurs="0">
+											<xs:complexType>
+												<xs:sequence>
+													<xs:element name="EUTSLUrl" type="xs:anyURI" minOccurs="0"/>
+													<xs:element name="UpdateSchedule" minOccurs="0">
+														<xs:complexType>
+															<xs:sequence>
+																<xs:element name="StartTime" type="xs:time"/>
+																<xs:element name="Period" type="xs:unsignedLong"/>
+															</xs:sequence>
+														</xs:complexType>
+													</xs:element>
+													<xs:element name="WorkingDirectory" type="xs:anyURI" minOccurs="0"/>
+												</xs:sequence>
+											</xs:complexType>
+										</xs:element>
+									</xs:sequence>
+								</xs:complexType>
+							</xs:element>
+							<xs:element name="VerifyTransformsInfoProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="SupplementProfile" type="config:ProfileType" minOccurs="0" maxOccurs="unbounded"/>
+							<xs:element name="PermitFileURIs" type="xs:boolean" default="false" minOccurs="0"/>
+						</xs:sequence>
+					</xs:complexType>
+				</xs:element>
+			</xs:sequence>
+		</xs:complexType>
+	</xs:element>
+	<xs:simpleType name="ChainingModeType">
+		<xs:restriction base="xs:string">
+			<xs:enumeration value="chaining"/>
+			<xs:enumeration value="pkix"/>
+		</xs:restriction>
+	</xs:simpleType>
+	<xs:complexType name="ProfileType">
+		<xs:sequence>
+			<xs:element name="Id" type="xs:token"/>
+			<xs:element name="Location" type="xs:anyURI"/>
+		</xs:sequence>
+	</xs:complexType>
+</xs:schema>
diff --git a/moaSig/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml b/moaSig/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml
index 8d7541b..2a8cdd0 100644
--- a/moaSig/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml
+++ b/moaSig/handbook/conf/moa-spss/sp.minimum_with_tsl.config.xml
@@ -25,6 +25,8 @@
 <!--	</cfg:Common>-->
 	<cfg:SignatureVerification>
 		<cfg:CertificateValidation>
+			<!-- ReadTimeout in seconds-->
+			<cfg:ReadTimeout>30</cfg:ReadTimeout>
 			<cfg:PathConstruction>
 				<cfg:AutoAddCertificates>true</cfg:AutoAddCertificates>
 				<cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess>
@@ -49,7 +51,9 @@
 					<cfg:EUTSL>
 					<!-- Optional kann eine Länderliste mit zweistelligen Länderkürzeln angegeben werden (d.h. nur die -->
 					<!-- Vertrauensanker der angegeben Länder werden importiert) -->
-					<!--<cfg:CountrySelection>AT,BE</cfg:CountrySelection>-->
+						<cfg:CountrySelection>AT,BE</cfg:CountrySelection>
+						<cfg:AllowedTSPStatus></cfg:AllowedTSPStatus>
+						<cfg:AllowedTSPServiceTypes></cfg:AllowedTSPServiceTypes>
 					</cfg:EUTSL>
 				</cfg:TrustProfile>
 			</cfg:PathValidation>
diff --git a/moaSig/libs/iaik_tsl-1.1.jar b/moaSig/libs/iaik_tsl-1.1.jar
deleted file mode 100644
index 82d84ba..0000000
Binary files a/moaSig/libs/iaik_tsl-1.1.jar and /dev/null differ
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
index e134d57..6c826ad 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java
@@ -31,7 +31,6 @@ import iaik.pki.revocation.RevocationSourceTypes;
 import iaik.server.modules.xml.BlackListEntry;
 import iaik.server.modules.xml.ExternalReferenceChecker;
 import iaik.server.modules.xml.WhiteListEntry;
-import iaik.util.logging.Log;
 import iaik.utils.RFC2253NameParser;
 import iaik.utils.RFC2253NameParserException;
 import iaik.xml.crypto.utils.URI;
@@ -433,7 +432,7 @@ public class ConfigurationPartsBuilder {
     	try {
     		defaultConnectionTimeout = Integer.parseInt(connectionTimeout);
     	} catch(NumberFormatException e) {
-    		Log.warn("Configuration value " + CONNECTION_TIMEOUT_XPATH_ + " should be a number defaulting to 30");
+    		Logger.warn("Configuration value " + CONNECTION_TIMEOUT_XPATH_ + " should be a number defaulting to 30");
     	}
     }
     
@@ -453,7 +452,7 @@ public class ConfigurationPartsBuilder {
     	try {
     		defaultConnectionTimeout = Integer.parseInt(connectionTimeout);
     	} catch(NumberFormatException e) {
-    		Log.warn("Configuration value " + READ_TIMEOUT_XPATH_ + " should be a number defaulting to 30");
+    		Logger.warn("Configuration value " + READ_TIMEOUT_XPATH_ + " should be a number defaulting to 30");
     	}
     }
     
diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
index 789336e..d8ebd85 100644
--- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
+++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java
@@ -46,6 +46,7 @@ import at.gv.egovernment.moa.spss.api.common.Content;
 import at.gv.egovernment.moa.spss.api.common.ExtendedCertificateCheckResult;
 import at.gv.egovernment.moa.spss.api.common.InputData;
 import at.gv.egovernment.moa.spss.api.common.SignerInfo;
+import at.gv.egovernment.moa.spss.api.common.TslInfos;
 import at.gv.egovernment.moa.spss.api.impl.InputDataBinaryImpl;
 import at.gv.egovernment.moa.spss.api.impl.InputDataXMLImpl;
 import at.gv.egovernment.moa.spss.api.xmlverify.ManifestRefsCheckResultInfo;
@@ -160,7 +161,8 @@ public class VerifyXMLSignatureResponseBuilder {
     boolean checkSSCD,
     boolean sscdSourceTSL,
     boolean isTSLEnabledTrustprofile,
-    String issuerCountryCode)
+    String issuerCountryCode,
+    TslInfos tslInfos)
     throws MOAApplicationException {
 
     CertificateValidationResult certResult =
@@ -187,7 +189,8 @@ public class VerifyXMLSignatureResponseBuilder {
         checkSSCD,
         sscdSourceTSL,
         issuerCountryCode,
-              result.getSigningTime());
+        result.getSigningTime(),
+        tslInfos);
 
     // Create HashInputData Content objects
     referenceDataList = result.getReferenceDataList();
-- 
cgit v1.2.3