From 6c09d652d6317d1514924518c3186470498247a9 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 5 Nov 2015 14:01:45 +0100 Subject: PDF-AS integration, AdES Form validation results from IAIK-MOA, for XAdES --- .../gv/egovernment/moa/spss/api/SPSSFactory.java | 3 +- .../moa/spss/api/impl/AdESFormResultsImpl.java | 42 + .../moa/spss/api/impl/SPSSFactoryImpl.java | 5 +- .../api/impl/VerifyXMLSignatureResponseImpl.java | 266 ++-- .../moa/spss/api/xmlbind/ResponseBuilderUtils.java | 33 + .../xmlbind/VerifyXMLSignatureResponseBuilder.java | 17 + .../moa/spss/api/xmlverify/AdESFormResults.java | 7 + .../api/xmlverify/VerifyXMLSignatureResponse.java | 9 +- .../server/config/ConfigurationPartsBuilder.java | 2 +- .../XMLSignatureVerificationProfileImpl.java | 2 +- .../moa/spss/server/init/SystemInitializer.java | 2 +- .../invoke/VerifyXMLSignatureResponseBuilder.java | 8 +- .../invoke/XMLSignatureVerificationInvoker.java | 1288 ++++++++++---------- 13 files changed, 914 insertions(+), 770 deletions(-) create mode 100644 moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/AdESFormResultsImpl.java create mode 100644 moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/AdESFormResults.java (limited to 'moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss') diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java index 4c57b13..b725422 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/SPSSFactory.java @@ -797,7 +797,8 @@ public abstract class SPSSFactory { ReferencesCheckResult signatureCheck, ReferencesCheckResult signatureManifestCheck, List xmlDsigManifestChecks, - CheckResult certificateCheck); + CheckResult certificateCheck, + List adesFormResults); /** * Create a new ReferencesCheckResult object. diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/AdESFormResultsImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/AdESFormResultsImpl.java new file mode 100644 index 0000000..c186c54 --- /dev/null +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/AdESFormResultsImpl.java @@ -0,0 +1,42 @@ +package at.gv.egovernment.moa.spss.api.impl; + +import at.gv.egovernment.moa.spss.api.xmlverify.AdESFormResults; + +public class AdESFormResultsImpl implements AdESFormResults { + + private Integer code; + private String info; + private String name; + + public synchronized void setCode(Integer code) { + this.code = code; + } + + public synchronized void setInfo(String info) { + this.info = info; + } + + public synchronized void setName(String name) { + this.name = name; + } + + @Override + public Integer getCode() { + return this.code; + } + + @Override + public String getInfo() { + return this.info; + } + + @Override + public String getName() { + return this.name; + } + + @Override + public String toString() { + return "AdESFormResultsImpl [code=" + code + ", info=" + info + ", name=" + name + "]"; + } +} diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java index ac3d4c9..8a46219 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/SPSSFactoryImpl.java @@ -453,7 +453,8 @@ public class SPSSFactoryImpl extends SPSSFactory { ReferencesCheckResult signatureCheck, ReferencesCheckResult signatureManifestCheck, List xmlDsigManifestChecks, - CheckResult certificateCheck) { + CheckResult certificateCheck, + List adesFormResults) { VerifyXMLSignatureResponseImpl verifyXMLSignatureResponse = new VerifyXMLSignatureResponseImpl(); verifyXMLSignatureResponse.setSignerInfo(signerInfo); @@ -464,7 +465,7 @@ public class SPSSFactoryImpl extends SPSSFactory { signatureManifestCheck); verifyXMLSignatureResponse.setXMLDsigManifestChecks(xmlDsigManifestChecks); verifyXMLSignatureResponse.setCertificateCheck(certificateCheck); - + verifyXMLSignatureResponse.setAdESFormResults(adesFormResults); return verifyXMLSignatureResponse; } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyXMLSignatureResponseImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyXMLSignatureResponseImpl.java index 46fd517..bfee774 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyXMLSignatureResponseImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/impl/VerifyXMLSignatureResponseImpl.java @@ -21,7 +21,6 @@ * that you distribute must include a readable copy of the "NOTICE" text file. */ - package at.gv.egovernment.moa.spss.api.impl; import java.util.ArrayList; @@ -37,130 +36,145 @@ import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; * @author Fatemeh Philippi * @version $Id$ */ -public class VerifyXMLSignatureResponseImpl - implements VerifyXMLSignatureResponse { - - /** Information about the signer certificate. */ - private SignerInfo signerInfo; - - /** - * The hash input data objects. The list consists of {@link at.gv.egovernment.moa.spss.api.common.InputData}s. - * */ - private List hashInputDatas = new ArrayList(); - - /** - * The reference input data objects. The list consists of {@link at.gv.egovernment.moa.spss.api.common.InputData}s. - * */ - private List referenceInputDatas = new ArrayList(); - - /** Information about the signature check. */ - private ReferencesCheckResult signatureCheck; - /** Information about the signature manifest check. */ - private ReferencesCheckResult signatureManifestCheck; - /** Information about the XMLDsig manifest check. */ - private List xmlDsigManifestChecks = new ArrayList(); - /** Information about the certificate check. */ - private CheckResult certificateCheck; - - /** - * Sets information about the signer certificate. - * - * @param signerInfo Information about the signer certificate. - */ - public void setSignerInfo(SignerInfo signerInfo) { - this.signerInfo = signerInfo; - } - - public SignerInfo getSignerInfo() { - return signerInfo; - } - - /** - * Sets data signed by the signatory. - * - * @param hashInputDatas The signed datas. - */ - public void setHashInputDatas(List hashInputDatas) { - this.hashInputDatas = - hashInputDatas != null - ? Collections.unmodifiableList(new ArrayList(hashInputDatas)) - : null; - } - - public List getHashInputDatas() { - return hashInputDatas; - } - - /** - * Sets the source data elements. - * - * @param referenceInputDatas The source data elements. - */ - public void setReferenceInputDatas(List referenceInputDatas) { - this.referenceInputDatas = - referenceInputDatas != null - ? Collections.unmodifiableList(new ArrayList(referenceInputDatas)) - : null; - } - - public List getReferenceInputDatas() { - return referenceInputDatas; - } - - /** - * Sets the result of the signature verification. - * - * @param signatureCheck The result of the signature verification. - */ - public void setSignatureCheck(ReferencesCheckResult signatureCheck) { - this.signatureCheck = signatureCheck; - } - - public ReferencesCheckResult getSignatureCheck() { - return signatureCheck; - } - - /** - * Sets the result of the signature manifest verification. - * - * @param signatureManifestCheck The result of the signature manifest verification. - */ - public void setSignatureManifestCheck(ReferencesCheckResult signatureManifestCheck) { - this.signatureManifestCheck = signatureManifestCheck; - } - - public ReferencesCheckResult getSignatureManifestCheck() { - return signatureManifestCheck; - } - - /** - * Sets the result of the certification verification. - * - * @param certificateCheck The result of the certificate verification. - */ - public void setCertificateCheck(CheckResult certificateCheck) { - this.certificateCheck = certificateCheck; - } - - public CheckResult getCertificateCheck() { - return certificateCheck; - } - - - /** - * Sets the XMLDSigManifestChecks. - * - * @param xmlDsigManifestChecks The XMLDSigManifestChecks. - */ - public void setXMLDsigManifestChecks(List xmlDsigManifestChecks) { - this.xmlDsigManifestChecks = - xmlDsigManifestChecks != null - ? Collections.unmodifiableList(new ArrayList(xmlDsigManifestChecks)) - : null; - } - - public List getXMLDsigManifestChecks() { - return xmlDsigManifestChecks; - } +public class VerifyXMLSignatureResponseImpl implements VerifyXMLSignatureResponse { + + /** Information about the signer certificate. */ + private SignerInfo signerInfo; + + /** + * The hash input data objects. The list consists of + * {@link at.gv.egovernment.moa.spss.api.common.InputData}s. + */ + private List hashInputDatas = new ArrayList(); + + /** + * The reference input data objects. The list consists of + * {@link at.gv.egovernment.moa.spss.api.common.InputData}s. + */ + private List referenceInputDatas = new ArrayList(); + + /** + * The list of form validation results + */ + private List adesFormResults = new ArrayList(); + + /** Information about the signature check. */ + private ReferencesCheckResult signatureCheck; + /** Information about the signature manifest check. */ + private ReferencesCheckResult signatureManifestCheck; + /** Information about the XMLDsig manifest check. */ + private List xmlDsigManifestChecks = new ArrayList(); + /** Information about the certificate check. */ + private CheckResult certificateCheck; + + /** + * Sets information about the signer certificate. + * + * @param signerInfo + * Information about the signer certificate. + */ + public void setSignerInfo(SignerInfo signerInfo) { + this.signerInfo = signerInfo; + } + + public SignerInfo getSignerInfo() { + return signerInfo; + } + + /** + * Sets data signed by the signatory. + * + * @param hashInputDatas + * The signed datas. + */ + public void setHashInputDatas(List hashInputDatas) { + this.hashInputDatas = hashInputDatas != null ? Collections.unmodifiableList(new ArrayList(hashInputDatas)) + : null; + } + + public List getHashInputDatas() { + return hashInputDatas; + } + + /** + * Sets the source data elements. + * + * @param referenceInputDatas + * The source data elements. + */ + public void setReferenceInputDatas(List referenceInputDatas) { + this.referenceInputDatas = referenceInputDatas != null + ? Collections.unmodifiableList(new ArrayList(referenceInputDatas)) : null; + } + + public List getReferenceInputDatas() { + return referenceInputDatas; + } + + /** + * Sets the result of the signature verification. + * + * @param signatureCheck + * The result of the signature verification. + */ + public void setSignatureCheck(ReferencesCheckResult signatureCheck) { + this.signatureCheck = signatureCheck; + } + + public ReferencesCheckResult getSignatureCheck() { + return signatureCheck; + } + + /** + * Sets the result of the signature manifest verification. + * + * @param signatureManifestCheck + * The result of the signature manifest verification. + */ + public void setSignatureManifestCheck(ReferencesCheckResult signatureManifestCheck) { + this.signatureManifestCheck = signatureManifestCheck; + } + + public ReferencesCheckResult getSignatureManifestCheck() { + return signatureManifestCheck; + } + + /** + * Sets the result of the certification verification. + * + * @param certificateCheck + * The result of the certificate verification. + */ + public void setCertificateCheck(CheckResult certificateCheck) { + this.certificateCheck = certificateCheck; + } + + public CheckResult getCertificateCheck() { + return certificateCheck; + } + + /** + * Sets the XMLDSigManifestChecks. + * + * @param xmlDsigManifestChecks + * The XMLDSigManifestChecks. + */ + public void setXMLDsigManifestChecks(List xmlDsigManifestChecks) { + this.xmlDsigManifestChecks = xmlDsigManifestChecks != null + ? Collections.unmodifiableList(new ArrayList(xmlDsigManifestChecks)) : null; + } + + public List getXMLDsigManifestChecks() { + return xmlDsigManifestChecks; + } + + public void setAdESFormResults(List adesFormResults) { + this.adesFormResults = adesFormResults; + } + + @Override + public List getAdESFormResults() { + return this.adesFormResults; + } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java index b5ec20f..eaafe00 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/ResponseBuilderUtils.java @@ -286,4 +286,37 @@ public class ResponseBuilderUtils { root.appendChild(codeInfoElem); } + /** + * Add an element containing Code and Info + * subelements. + * + * @param response The response document, in order to create new elements in + * it. + * @param root The root element into which to insert the newly created + * element. + * @param elementName The name of the newly created element. + * @param code The content of the Code subelement. + * @param info The content of the Info subelement. + */ + public static void addFormCheckElement( + Document response, + Element root, + String elementName, + int code, + String name) { + + Element codeInfoElem = response.createElementNS(MOA_NS_URI, elementName); + Element codeElem = response.createElementNS(MOA_NS_URI, "Code"); + Element infoElem; + + codeElem.appendChild(response.createTextNode(Integer.toString(code))); + codeInfoElem.appendChild(codeElem); + + infoElem = response.createElementNS(MOA_NS_URI, "Name"); + infoElem.appendChild(response.createTextNode(name)); + codeInfoElem.appendChild(infoElem); + + root.appendChild(codeInfoElem); + } + } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java index dd4e13a..27a42c8 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyXMLSignatureResponseBuilder.java @@ -42,6 +42,7 @@ import at.gv.egovernment.moa.spss.api.common.Content; import at.gv.egovernment.moa.spss.api.common.ContentBinary; import at.gv.egovernment.moa.spss.api.common.ContentXML; import at.gv.egovernment.moa.spss.api.common.InputData; +import at.gv.egovernment.moa.spss.api.xmlverify.AdESFormResults; import at.gv.egovernment.moa.spss.api.xmlverify.ManifestRefsCheckResult; import at.gv.egovernment.moa.spss.api.xmlverify.ReferencesCheckResult; import at.gv.egovernment.moa.spss.api.xmlverify.VerifyXMLSignatureResponse; @@ -150,6 +151,22 @@ public class VerifyXMLSignatureResponseBuilder { response.getCertificateCheck().getInfo()); + if(response.getAdESFormResults() != null) { + + Iterator formIterator = response.getAdESFormResults().iterator(); + + while(formIterator.hasNext()) { + AdESFormResults adESFormResult = (AdESFormResults)formIterator.next(); + // add the CertificateCheck + ResponseBuilderUtils.addFormCheckElement( + responseDoc, + responseElem, + "FormCheckResult", + adESFormResult.getCode().intValue(), + adESFormResult.getName()); + + } + } return responseDoc; } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/AdESFormResults.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/AdESFormResults.java new file mode 100644 index 0000000..e12c39b --- /dev/null +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/AdESFormResults.java @@ -0,0 +1,7 @@ +package at.gv.egovernment.moa.spss.api.xmlverify; + +public interface AdESFormResults { + public Integer getCode(); + public String getInfo(); + public String getName(); +} diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/VerifyXMLSignatureResponse.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/VerifyXMLSignatureResponse.java index d107dc9..63c496a 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/VerifyXMLSignatureResponse.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlverify/VerifyXMLSignatureResponse.java @@ -81,7 +81,14 @@ public interface VerifyXMLSignatureResponse { */ public CheckResult getCertificateCheck(); - + /** + * Gets AdES Form results + * + * This might be null! + * + * @return The result of the AdES Form validation + */ + public List getAdESFormResults(); } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java index af67d30..cb840ae 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/config/ConfigurationPartsBuilder.java @@ -102,7 +102,7 @@ public class ConfigurationPartsBuilder { private static final String ROOT = "/" + CONF + "MOAConfiguration/"; private static final String PDFAS_CONFIGURATION_XPATH = - ROOT + CONF + "PDFASConfig"; + ROOT + CONF + "Common/" + CONF + "PDFASConfig"; private static final String DIGEST_METHOD_XPATH = ROOT + CONF + "SignatureCreation/" diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlverify/XMLSignatureVerificationProfileImpl.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlverify/XMLSignatureVerificationProfileImpl.java index f4c9126..0ad3d79 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlverify/XMLSignatureVerificationProfileImpl.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/iaik/xmlverify/XMLSignatureVerificationProfileImpl.java @@ -172,6 +172,6 @@ public class XMLSignatureVerificationProfileImpl @Override public String getTargetLevel() { - return XMLSignatureVerificationProfile.LEVEL_B; + return XMLSignatureVerificationProfile.LEVEL_LTA; } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index f2663cf..37569c5 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -78,7 +78,7 @@ public class SystemInitializer { private static void runInitializer(ConfigurationProvider configurationProvider) { Iterator initializerIterator = initializerServices.iterator(); - + logger.info("Running external initializers"); while(initializerIterator.hasNext()) { ExternalInitializer externalInitializer = initializerIterator.next(); externalInitializer.initialize(configurationProvider); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java index 9021785..7bcf723 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyXMLSignatureResponseBuilder.java @@ -100,6 +100,7 @@ public class VerifyXMLSignatureResponseBuilder { private List xmlDsigManifestChecks; /** The result of the certificate check. */ private CheckResult certificateCheck; + private List adesFormResults = null; /** * Get the VerifyMLSignatureResponse built so far. @@ -114,7 +115,12 @@ public class VerifyXMLSignatureResponseBuilder { signatureCheck, signatureManifestCheck, xmlDsigManifestChecks, - certificateCheck); + certificateCheck, + adesFormResults); + } + + public void setAdESFormResults(List adesForm) { + this.adesFormResults = adesForm; } /** diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java index 2b158dd..c09740c 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/XMLSignatureVerificationInvoker.java @@ -21,26 +21,8 @@ * that you distribute must include a readable copy of the "NOTICE" text file. */ - package at.gv.egovernment.moa.spss.server.invoke; -import iaik.xml.crypto.utils.URI; -import iaik.xml.crypto.utils.URIException; -import iaik.server.modules.IAIKException; -import iaik.server.modules.IAIKRuntimeException; -import iaik.server.modules.xml.DataObject; -import iaik.server.modules.xml.XMLDataObject; -import iaik.server.modules.xml.XMLSignature; -import iaik.server.modules.xmlsign.XMLConstants; -import iaik.server.modules.xmlverify.DsigManifest; -import iaik.server.modules.xmlverify.ReferenceData; -import iaik.server.modules.xmlverify.SecurityLayerManifest; -import iaik.server.modules.xmlverify.XMLSignatureVerificationModule; -import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory; -import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile; -import iaik.server.modules.xmlverify.XMLSignatureVerificationResult; -import iaik.x509.X509Certificate; - import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; @@ -68,6 +50,7 @@ import at.gv.egovernment.moa.spss.MOASystemException; import at.gv.egovernment.moa.spss.api.SPSSFactory; import at.gv.egovernment.moa.spss.api.common.CheckResult; import at.gv.egovernment.moa.spss.api.common.XMLDataObjectAssociation; +import at.gv.egovernment.moa.spss.api.impl.AdESFormResultsImpl; import at.gv.egovernment.moa.spss.api.xmlverify.ReferenceInfo; import at.gv.egovernment.moa.spss.api.xmlverify.ReferencesCheckResult; import at.gv.egovernment.moa.spss.api.xmlverify.ReferencesCheckResultInfo; @@ -90,12 +73,32 @@ import at.gv.egovernment.moa.spss.util.MessageProvider; import at.gv.egovernment.moa.spss.util.QCSSCDResult; import at.gv.egovernment.moa.util.CollectionUtils; import at.gv.egovernment.moa.util.Constants; +import iaik.server.modules.AdESFormVerificationResult; +import iaik.server.modules.AdESVerificationResult; +import iaik.server.modules.IAIKException; +import iaik.server.modules.IAIKRuntimeException; +import iaik.server.modules.SignatureVerificationProfile; +import iaik.server.modules.xml.DataObject; +import iaik.server.modules.xml.XMLDataObject; +import iaik.server.modules.xml.XMLSignature; +import iaik.server.modules.xmlsign.XMLConstants; +import iaik.server.modules.xmlverify.DsigManifest; +import iaik.server.modules.xmlverify.ExtendedXMLSignatureVerificationResult; +import iaik.server.modules.xmlverify.ReferenceData; +import iaik.server.modules.xmlverify.SecurityLayerManifest; +import iaik.server.modules.xmlverify.XMLSignatureVerificationModule; +import iaik.server.modules.xmlverify.XMLSignatureVerificationModuleFactory; +import iaik.server.modules.xmlverify.XMLSignatureVerificationProfile; +import iaik.server.modules.xmlverify.XMLSignatureVerificationResult; +import iaik.x509.X509Certificate; +import iaik.xml.crypto.utils.URI; +import iaik.xml.crypto.utils.URIException; /** * A class providing a DOM based interface to the * XMLSignatureVerificationModule. * - * This class performs the invocation of the + * This class performs the invocation of the * iaik.server.modules.xmlverify.XMLSignatureVerificationModule * from a VerifyXMLSignatureRequest given as a DOM element. The * result of the invocation is integrated into a @@ -106,622 +109,635 @@ import at.gv.egovernment.moa.util.Constants; */ public class XMLSignatureVerificationInvoker { - /** The single instance of this class. */ - private static XMLSignatureVerificationInvoker instance = null; - - private static Set FILTERED_REF_TYPES; - - static { - FILTERED_REF_TYPES = new HashSet(); - FILTERED_REF_TYPES.add(DsigManifest.XML_DSIG_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE); - FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD); - FILTERED_REF_TYPES.add(XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties"); - FILTERED_REF_TYPES.add("http://uri.etsi.org/01903#SignedProperties"); - } - - /** - * Get the single instance of this class. - * - * @return The single instance of this class. - */ - public static synchronized XMLSignatureVerificationInvoker getInstance() { - if (instance == null) { - instance = new XMLSignatureVerificationInvoker(); - } - return instance; - } - - /** - * Create a new XMLSignatureCreationInvoker. - * - * Protected to disallow multiple instances. - */ - protected XMLSignatureVerificationInvoker() { - } - - /** - * Process the VerifyXMLSignatureRequest message and invoke the - * XMLSignatureVerificationModule. - * - * @param request A VerifyXMLSignatureRequest API object - * containing the data for verifying an XML signature. - * @return A VerifyXMLSignatureResponse containing the - * answert to the VerifyXMLSignatureRequest. - * MOA schema definition. - * @throws MOAException An error occurred during signature verification. - */ - public VerifyXMLSignatureResponse verifyXMLSignature(VerifyXMLSignatureRequest request) - throws MOAException { - - TransactionContext context = - TransactionContextManager.getInstance().getTransactionContext(); - LoggingContext loggingCtx = - LoggingContextManager.getInstance().getLoggingContext(); - XMLSignatureVerificationProfileFactory profileFactory = - new XMLSignatureVerificationProfileFactory(request); - VerifyXMLSignatureResponseBuilder responseBuilder = - new VerifyXMLSignatureResponseBuilder(); - XMLSignatureVerificationResult result; - XMLSignatureVerificationProfile profile; - ReferencesCheckResult signatureManifestCheck; - DataObjectFactory dataObjFactory; - XMLDataObject signatureEnvironment; - Node signatureEnvironmentParent = null; - Element requestElement = null; - XMLSignature xmlSignature; - Date signingTime; - List supplements; - List dataObjectList; - - // get the supplements - supplements = getSupplements(request); - - // build XMLSignature - dataObjFactory = DataObjectFactory.getInstance(); - signatureEnvironment = - dataObjFactory.createSignatureEnvironment( - request.getSignatureInfo().getVerifySignatureEnvironment(), - supplements); - xmlSignature = buildXMLSignature(signatureEnvironment, request); - - // build the list of DataObjects - dataObjectList = buildDataObjectList(supplements); - - // build profile - profile = profileFactory.createProfile(); - - // get the signingTime - signingTime = request.getDateTime(); - - // make the signature environment the root of the document, if it is not a - // separate document anyway; this is done to assure that canonicalization - // of the signature environment contains the correct namespace declarations - requestElement = - signatureEnvironment.getElement().getOwnerDocument().getDocumentElement(); - if (requestElement != signatureEnvironment.getElement()) { - signatureEnvironmentParent = - signatureEnvironment.getElement().getParentNode(); - requestElement.getOwnerDocument().replaceChild( - signatureEnvironment.getElement(), - requestElement); - } - - QCSSCDResult qcsscdresult = new QCSSCDResult(); - String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId(); - ConfigurationProvider config = ConfigurationProvider.getInstance(); - TrustProfile tp = config.getTrustProfile(tpID); - - // verify the signature - try { - XMLSignatureVerificationModule module = - XMLSignatureVerificationModuleFactory.getInstance(); - - module.setLog(new IaikLog(loggingCtx.getNodeID())); - - result = - module.verifySignature( - xmlSignature, - dataObjectList, - profile, - signingTime, - new TransactionId(context.getTransactionID())); - } catch (IAIKException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - throw moaException; - } catch (IAIKRuntimeException e) { - MOAException moaException = IaikExceptionMapper.getInstance().map(e); - throw moaException; - } - - - // QC/SSCD check - List list = result.getCertificateValidationResult().getCertificateChain(); - if (list != null) { - X509Certificate[] chain = new X509Certificate[list.size()]; - - Iterator it = list.iterator(); - int i = 0; - while(it.hasNext()) { - chain[i] = (X509Certificate)it.next(); - i++; - } - - qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled()); - } - - - // get signer certificate issuer country code - String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate)list.get(0)); - - // swap back in the request as root document - if (requestElement != signatureEnvironment.getElement()) { - requestElement.getOwnerDocument().replaceChild( - requestElement, - signatureEnvironment.getElement()); - signatureEnvironmentParent.appendChild(signatureEnvironment.getElement()); - } - - // check the result - signatureManifestCheck = - validateSignatureManifest(request, result, profile); - - // Check if signer certificate is in trust profile's allowed signer certificates pool - TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); - CheckResult certificateCheck = validateSignerCertificate(result, trustProfile); - - - // build the response - responseBuilder.setResult(result, profile, signatureManifestCheck, certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode); - return responseBuilder.getResponse(); - } - - /** - * Checks if the signer certificate matches one of the allowed signer certificates specified - * in the provided trustProfile. - * - * @param result The result produced by the XMLSignatureVerificationModule. - * - * @param trustProfile The trust profile the signer certificate is validated against. - * - * @return The overal result of the certificate validation for the signer certificate. - * - * @throws MOAException if one of the signer certificates specified in the trustProfile - * cannot be read from the file system. - */ - private CheckResult validateSignerCertificate(XMLSignatureVerificationResult result, TrustProfile trustProfile) - throws MOAException - { - MessageProvider msg = MessageProvider.getInstance(); - - int resultCode = result.getCertificateValidationResult().getValidationResultCode().intValue(); - if (resultCode == 0 && trustProfile.getSignerCertsUri() != null) - { - X509Certificate signerCertificate = (X509Certificate) result.getCertificateValidationResult().getCertificateChain().get(0); - - File signerCertsDir = null; - try - { - signerCertsDir = new File(new URI(trustProfile.getSignerCertsUri()).getPath()); - } - catch (URIException e) - { - throw new MOASystemException("2900", null, e); // Should not happen, already checked at loading the MOA configuration - } - - File[] files = signerCertsDir.listFiles(); - if (files == null) resultCode = 1; - int i; - for (i = 0; i < files.length; i++) - { - if (!files[i].isDirectory()) - { - FileInputStream currentFIS = null; - try - { - currentFIS = new FileInputStream(files[i]); - } - catch (FileNotFoundException e) { - throw new MOASystemException("2900", null, e); - } - - try - { - X509Certificate currentCert = new X509Certificate(currentFIS); - currentFIS.close(); - if (currentCert.equals(signerCertificate)) break; - } - catch (Exception e) - { - // Simply ignore file if it cannot be interpreted as certificate - String logMsg = msg.getMessage("invoker.03", new Object[]{trustProfile.getId(), files[i].getName()}); - Logger.warn(logMsg); - try - { - currentFIS.close(); - } - catch (IOException e1) { - // If clean-up fails, do nothing - } - } - } - } - if (i >= files.length) - { - resultCode = 1; // No signer certificate from the trustprofile pool matches the actual signer certificate - } - } - - SPSSFactory factory = SPSSFactory.getInstance(); - return factory.createCheckResult(resultCode, null); - } - - - - /** - * Select the dsig:Signature DOM element within the signature - * environment. - * - * @param signatureEnvironment The signature environment containing the - * dsig:Signature. - * @param request The VerifyXMLSignatureRequest containing the - * signature environment. - * @return The dsig:Signature element wrapped in a - * XMLSignature object. - * @throws MOAApplicationException An error occurred locating the - * dsig:Signature. - */ - private XMLSignature buildXMLSignature( - XMLDataObject signatureEnvironment, - VerifyXMLSignatureRequest request) - throws MOAApplicationException { - - VerifySignatureLocation signatureLocation = - request.getSignatureInfo().getVerifySignatureLocation(); - Element signatureParent; - - // evaluate the VerifySignatureLocation to get the signature parent - signatureParent = - InvokerUtils.evaluateSignatureLocation( - signatureEnvironment.getElement(), - signatureLocation); - - // check for signatureParent to be a dsig:Signature element - if (!"Signature".equals(signatureParent.getLocalName()) - || !Constants.DSIG_NS_URI.equals(signatureParent.getNamespaceURI())) { - throw new MOAApplicationException("2266", null); - } - - return new XMLSignatureImpl(signatureParent); - } - - /** - * Build the supplemental data objects contained in the - * VerifyXMLSignatureRequest. - * - * @param supplements A List of - * XMLDataObjectAssociations containing the supplement data. - * @return A List of DataObjects representing the - * supplemental data objects. - * @throws MOASystemException A system error occurred building one of the data - * objects. - * @throws MOAApplicationException An error occurred building one of the data - * objects. - */ - private List buildDataObjectList(List supplements) - throws MOASystemException, MOAApplicationException { - List dataObjectList = new ArrayList(); - - DataObjectFactory factory = DataObjectFactory.getInstance(); - DataObject dataObject; - Iterator iter; - - if (supplements != null) { - for (iter = supplements.iterator(); iter.hasNext();) { - XMLDataObjectAssociation supplement = - (XMLDataObjectAssociation) iter.next(); - dataObject = - factory.createFromXmlDataObjectAssociation(supplement, true, false); - dataObjectList.add(dataObject); - } - } - - return dataObjectList; - - } - - /** - * Get the supplemental data contained in the - * VerifyXMLSignatureRequest. - * - * @param request The VerifyXMLSignatureRequest containing the - * supplemental data. - * @return A List of XMLDataObjectAssociation - * objects containing the supplemental data. - * @throws MOAApplicationException An error occurred resolving one of the - * supplement profiles. - */ - private List getSupplements(VerifyXMLSignatureRequest request) - throws MOAApplicationException { - TransactionContext context = - TransactionContextManager.getInstance().getTransactionContext(); - ConfigurationProvider config = context.getConfiguration(); - List supplementProfiles = request.getSupplementProfiles(); - - List supplements = new ArrayList(); - - if (supplementProfiles != null) { - - List mappedProfiles = - ProfileMapper.mapSupplementProfiles(supplementProfiles, config); - Iterator iter; - - for (iter = mappedProfiles.iterator(); iter.hasNext();) { - SupplementProfileExplicit profile = - (SupplementProfileExplicit) iter.next(); - supplements.add(profile.getSupplementProfile()); - } - - } - return supplements; - } - - /** - * Perform additional validations of the - * XMLSignatureVerificationResult. - * - *

In particular, it is verified that: - *

    - *
  • Each ReferenceData object contains transformation - * chain that matches one of the Transforms given in the - * corresponding SignatureManifestCheckParams/ReferenceInfo
    • - *
  • The hash values of the TransformParameters are valid. - *
    • - *
- *

- * - * @param request The VerifyXMLSignatureRequest containing the - * signature to verify. - * @param result The result produced by - * XMLSignatureVerificationModule. - * @param profile The profile used for validating the request. - * @return The result of additional validations of the signature manifest. - * @throws MOAApplicationException Post-validation of the - * XMLSignatureVerificaitonResult failed. - */ - private ReferencesCheckResult validateSignatureManifest( - VerifyXMLSignatureRequest request, - XMLSignatureVerificationResult result, - XMLSignatureVerificationProfile profile) - throws MOAApplicationException { - - SPSSFactory factory = SPSSFactory.getInstance(); - MessageProvider msg = MessageProvider.getInstance(); - - // validate that each ReferenceData object contains transforms specified - // in the corresponding SignatureManifestCheckParams/ReferenceInfo - if (request.getSignatureManifestCheckParams() != null) { - List refInfos = - request.getSignatureManifestCheckParams().getReferenceInfos(); - List refDatas = filterReferenceInfos(result.getReferenceDataList()); - List failedReferencesList = new ArrayList(); - Iterator refInfoIter; - Iterator refDataIter; - - if (refInfos.size() != refDatas.size()) { - return factory.createReferencesCheckResult(1, null); - } - - refInfoIter = refInfos.iterator(); - refDataIter = - filterReferenceInfos(result.getReferenceDataList()).iterator(); - - while (refInfoIter.hasNext()) { - ReferenceInfo refInfo = (ReferenceInfo) refInfoIter.next(); - ReferenceData refData = (ReferenceData) refDataIter.next(); - List transforms = buildTransformsList(refInfo); - boolean found = false; - Iterator trIter; - - for (trIter = transforms.iterator(); trIter.hasNext() && !found;) { - found = trIter.next().equals(refData.getTransformationList()); - } - - if (!found) { - Integer refIndex = new Integer(refData.getReferenceIndex()); - String logMsg = - msg.getMessage("invoker.01", new Object[] { refIndex }); - - failedReferencesList.add(refIndex); - Logger.debug(new LogMsg(logMsg)); - } - } - - if (!failedReferencesList.isEmpty()) { - // at least one reference failed - return their indexes and check code 1 - int[] failedReferences = - CollectionUtils.toIntArray(failedReferencesList); - ReferencesCheckResultInfo checkInfo = - factory.createReferencesCheckResultInfo(null, failedReferences); - - return factory.createReferencesCheckResult(1, checkInfo); - } - } - - // validate the hashes contained in all the ReferenceInfo objects of the - // security layer manifest - if (request.getSignatureManifestCheckParams() != null - && result.containsSecurityLayerManifest()) { - Map hashValues = buildTransformParameterHashValues(request); - Set transformParameterURIs = - buildTransformParameterURIs(profile.getTransformationSupplements()); - List referenceInfoList = - result.getSecurityLayerManifest().getReferenceDataList(); - Iterator refIter; - - for (refIter = referenceInfoList.iterator(); refIter.hasNext();) { - iaik.server.modules.xmlverify.ReferenceInfo ref = - (iaik.server.modules.xmlverify.ReferenceInfo) refIter.next(); - byte[] hash = (byte[]) hashValues.get(ref.getURI()); - - if (!transformParameterURIs.contains(ref.getURI()) - || (hash != null && !Arrays.equals(hash, ref.getHashValue()))) { - - // the transform parameter doesn't exist or the hashs do not match - // return the index of the failed reference and check code 1 - int[] failedReferences = new int[] { ref.getReferenceIndex()}; - ReferencesCheckResultInfo checkInfo = - factory.createReferencesCheckResultInfo(null, failedReferences); - String logMsg = - msg.getMessage( - "invoker.02", - new Object[] { new Integer(ref.getReferenceIndex())}); - - Logger.debug(new LogMsg(logMsg)); - - return factory.createReferencesCheckResult(1, checkInfo); - } - } - } - - return factory.createReferencesCheckResult(0, null); - } - - /** - * Get all Transforms contained in all the - * VerifyTransformsInfoProfiles of the given - * ReferenceInfo. - * - * @param refInfo The ReferenceInfo object containing - * the transformations. - * @return A List of Lists. Each of the - * Lists contains Transformation objects. - * @throws MOAApplicationException An error occurred building one of the - * Transformations. - */ - private List buildTransformsList(ReferenceInfo refInfo) - throws MOAApplicationException { - - TransactionContext context = - TransactionContextManager.getInstance().getTransactionContext(); - ConfigurationProvider config = context.getConfiguration(); - List profiles = refInfo.getVerifyTransformsInfoProfiles(); - List mappedProfiles = - ProfileMapper.mapVerifyTransformsInfoProfiles(profiles, config); - List transformsList = new ArrayList(); - TransformationFactory factory = TransformationFactory.getInstance(); - Iterator iter; - - for (iter = mappedProfiles.iterator(); iter.hasNext();) { - VerifyTransformsInfoProfileExplicit profile = - (VerifyTransformsInfoProfileExplicit) iter.next(); - List transforms = profile.getTransforms(); - - if (transforms != null) { - transformsList.add(factory.createTransformationList(transforms)); - } - } - - return transformsList; - } - - /** - * Build the Set of all TransformParameter URIs. - * - * @param transformParameters The List of - * TransformParameters, as provided to the verification. - * @return The Set of all TransformParameter URIs. - */ - private Set buildTransformParameterURIs(List transformParameters) { - Set uris = new HashSet(); - Iterator iter; - - for (iter = transformParameters.iterator(); iter.hasNext();) { - DataObject transformParameter = (DataObject) iter.next(); - uris.add(transformParameter.getURI()); - } - - return uris; - } - - /** - * Build a mapping between TransformParameter URIs (a - * String and dsig:HashValue (a - * byte[]). - * - * @param request The VerifyXMLSignatureRequest. - * @return Map The resulting mapping. - * @throws MOAApplicationException An error occurred accessing one of - * the profiles. - */ - private Map buildTransformParameterHashValues(VerifyXMLSignatureRequest request) - throws MOAApplicationException { - - TransactionContext context = - TransactionContextManager.getInstance().getTransactionContext(); - ConfigurationProvider config = context.getConfiguration(); - Map hashValues = new HashMap(); - List refInfos = - request.getSignatureManifestCheckParams().getReferenceInfos(); - Iterator refIter; - - for (refIter = refInfos.iterator(); refIter.hasNext();) { - ReferenceInfo refInfo = (ReferenceInfo) refIter.next(); - List profiles = refInfo.getVerifyTransformsInfoProfiles(); - List mappedProfiles = - ProfileMapper.mapVerifyTransformsInfoProfiles(profiles, config); - Iterator prIter; - - for (prIter = mappedProfiles.iterator(); prIter.hasNext();) { - VerifyTransformsInfoProfileExplicit profile = - (VerifyTransformsInfoProfileExplicit) prIter.next(); - List trParameters = profile.getTransformParameters(); - Iterator trIter; - - for (trIter = trParameters.iterator(); trIter.hasNext();) { - TransformParameter transformParameter = - (TransformParameter) trIter.next(); - String uri = transformParameter.getURI(); - - if (transformParameter.getTransformParameterType() - == TransformParameter.HASH_TRANSFORMPARAMETER) { - hashValues.put( - uri, - ((TransformParameterHash) transformParameter).getDigestValue()); - } - - } - } - } - return hashValues; - } - - /** - * Filter the ReferenceInfos returned by the - * VerifyXMLSignatureResult for comparison with the - * ReferenceInfo elements in the request. - * - * @param referenceInfos The ReferenceInfos from the - * VerifyXMLSignatureResult. - * @return A List of all ReferenceInfos whose type - * is not a XMLDsig manifest, Security Layer manifest, or ETSI signed - * property. - */ - private List filterReferenceInfos(List referenceInfos) { - List filtered = new ArrayList(); - Iterator iter; - - for (iter = referenceInfos.iterator(); iter.hasNext();) { - iaik.server.modules.xmlverify.ReferenceInfo refInfo = - (iaik.server.modules.xmlverify.ReferenceInfo) iter.next(); - String refType = refInfo.getReferenceType(); - - if (refType == null || !FILTERED_REF_TYPES.contains(refType)) { - filtered.add(refInfo); - } - } - - return filtered; - } + /** The single instance of this class. */ + private static XMLSignatureVerificationInvoker instance = null; + + private static Set FILTERED_REF_TYPES; + + static { + FILTERED_REF_TYPES = new HashSet(); + FILTERED_REF_TYPES.add(DsigManifest.XML_DSIG_MANIFEST_TYPE); + FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE); + FILTERED_REF_TYPES.add(SecurityLayerManifest.SECURITY_LAYER_MANIFEST_TYPE_OLD); + FILTERED_REF_TYPES.add(XMLConstants.NAMESPACE_ETSI_STRING + "SignedProperties"); + FILTERED_REF_TYPES.add("http://uri.etsi.org/01903#SignedProperties"); + } + + /** + * Get the single instance of this class. + * + * @return The single instance of this class. + */ + public static synchronized XMLSignatureVerificationInvoker getInstance() { + if (instance == null) { + instance = new XMLSignatureVerificationInvoker(); + } + return instance; + } + + /** + * Create a new XMLSignatureCreationInvoker. + * + * Protected to disallow multiple instances. + */ + protected XMLSignatureVerificationInvoker() { + } + + /** + * Process the VerifyXMLSignatureRequest message and invoke the + * XMLSignatureVerificationModule. + * + * @param request + * A VerifyXMLSignatureRequest API object + * containing the data for verifying an XML signature. + * @return A VerifyXMLSignatureResponse containing the answert + * to the VerifyXMLSignatureRequest. MOA schema + * definition. + * @throws MOAException + * An error occurred during signature verification. + */ + public VerifyXMLSignatureResponse verifyXMLSignature(VerifyXMLSignatureRequest request) throws MOAException { + + TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + LoggingContext loggingCtx = LoggingContextManager.getInstance().getLoggingContext(); + XMLSignatureVerificationProfileFactory profileFactory = new XMLSignatureVerificationProfileFactory(request); + VerifyXMLSignatureResponseBuilder responseBuilder = new VerifyXMLSignatureResponseBuilder(); + ExtendedXMLSignatureVerificationResult result; + XMLSignatureVerificationProfile profile; + ReferencesCheckResult signatureManifestCheck; + DataObjectFactory dataObjFactory; + XMLDataObject signatureEnvironment; + Node signatureEnvironmentParent = null; + Element requestElement = null; + XMLSignature xmlSignature; + Date signingTime; + List supplements; + List dataObjectList; + + // get the supplements + supplements = getSupplements(request); + + // build XMLSignature + dataObjFactory = DataObjectFactory.getInstance(); + signatureEnvironment = dataObjFactory + .createSignatureEnvironment(request.getSignatureInfo().getVerifySignatureEnvironment(), supplements); + xmlSignature = buildXMLSignature(signatureEnvironment, request); + + // build the list of DataObjects + dataObjectList = buildDataObjectList(supplements); + + // build profile + profile = profileFactory.createProfile(); + + // get the signingTime + signingTime = request.getDateTime(); + + // make the signature environment the root of the document, if it is not + // a + // separate document anyway; this is done to assure that + // canonicalization + // of the signature environment contains the correct namespace + // declarations + requestElement = signatureEnvironment.getElement().getOwnerDocument().getDocumentElement(); + if (requestElement != signatureEnvironment.getElement()) { + signatureEnvironmentParent = signatureEnvironment.getElement().getParentNode(); + requestElement.getOwnerDocument().replaceChild(signatureEnvironment.getElement(), requestElement); + } + + QCSSCDResult qcsscdresult = new QCSSCDResult(); + String tpID = profile.getCertificateValidationProfile().getTrustStoreProfile().getId(); + ConfigurationProvider config = ConfigurationProvider.getInstance(); + TrustProfile tp = config.getTrustProfile(tpID); + + // verify the signature + try { + XMLSignatureVerificationModule module = XMLSignatureVerificationModuleFactory.getInstance(); + + module.setLog(new IaikLog(loggingCtx.getNodeID())); + + result = module.verifyXAdESSignature(xmlSignature, dataObjectList, profile, signingTime, + new TransactionId(context.getTransactionID())); + } catch (IAIKException e) { + MOAException moaException = IaikExceptionMapper.getInstance().map(e); + throw moaException; + } catch (IAIKRuntimeException e) { + MOAException moaException = IaikExceptionMapper.getInstance().map(e); + throw moaException; + } + + List adesResults = getAdESResult(result.getFormVerificationResult()); + + if (adesResults != null) { + Iterator adesIterator = adesResults.iterator(); + while (adesIterator.hasNext()) { + Logger.info("ADES Formresults: " + adesIterator.next().toString()); + } + } + + responseBuilder.setAdESFormResults(adesResults); + + // QC/SSCD check + List list = result.getXMLSignatureVerificationResult().getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while (it.hasNext()) { + chain[i] = (X509Certificate) it.next(); + i++; + } + + qcsscdresult = CertificateUtils.checkQCSSCD(chain, tp.isTSLEnabled()); + } + + // get signer certificate issuer country code + String issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); + + // swap back in the request as root document + if (requestElement != signatureEnvironment.getElement()) { + requestElement.getOwnerDocument().replaceChild(requestElement, signatureEnvironment.getElement()); + signatureEnvironmentParent.appendChild(signatureEnvironment.getElement()); + } + + // check the result + signatureManifestCheck = validateSignatureManifest(request, result.getXMLSignatureVerificationResult(), + profile); + + // Check if signer certificate is in trust profile's allowed signer + // certificates pool + TrustProfile trustProfile = context.getConfiguration().getTrustProfile(request.getTrustProfileId()); + CheckResult certificateCheck = validateSignerCertificate(result.getXMLSignatureVerificationResult(), + trustProfile); + + // build the response + responseBuilder.setResult(result.getXMLSignatureVerificationResult(), profile, signatureManifestCheck, + certificateCheck, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), + qcsscdresult.isSSCDSourceTSL(), tp.isTSLEnabled(), issuerCountryCode); + return responseBuilder.getResponse(); + } + + /** + * Checks if the signer certificate matches one of the allowed signer + * certificates specified in the provided trustProfile. + * + * @param result + * The result produced by the + * XMLSignatureVerificationModule. + * + * @param trustProfile + * The trust profile the signer certificate is validated against. + * + * @return The overal result of the certificate validation for the signer + * certificate. + * + * @throws MOAException + * if one of the signer certificates specified in the + * trustProfile cannot be read from the file + * system. + */ + private CheckResult validateSignerCertificate(XMLSignatureVerificationResult result, TrustProfile trustProfile) + throws MOAException { + MessageProvider msg = MessageProvider.getInstance(); + + int resultCode = result.getCertificateValidationResult().getValidationResultCode().intValue(); + if (resultCode == 0 && trustProfile.getSignerCertsUri() != null) { + X509Certificate signerCertificate = (X509Certificate) result.getCertificateValidationResult() + .getCertificateChain().get(0); + + File signerCertsDir = null; + try { + signerCertsDir = new File(new URI(trustProfile.getSignerCertsUri()).getPath()); + } catch (URIException e) { + throw new MOASystemException("2900", null, e); // Should not + // happen, + // already + // checked at + // loading the + // MOA + // configuration + } + + File[] files = signerCertsDir.listFiles(); + if (files == null) + resultCode = 1; + int i; + for (i = 0; i < files.length; i++) { + if (!files[i].isDirectory()) { + FileInputStream currentFIS = null; + try { + currentFIS = new FileInputStream(files[i]); + } catch (FileNotFoundException e) { + throw new MOASystemException("2900", null, e); + } + + try { + X509Certificate currentCert = new X509Certificate(currentFIS); + currentFIS.close(); + if (currentCert.equals(signerCertificate)) + break; + } catch (Exception e) { + // Simply ignore file if it cannot be interpreted as + // certificate + String logMsg = msg.getMessage("invoker.03", + new Object[] { trustProfile.getId(), files[i].getName() }); + Logger.warn(logMsg); + try { + currentFIS.close(); + } catch (IOException e1) { + // If clean-up fails, do nothing + } + } + } + } + if (i >= files.length) { + resultCode = 1; // No signer certificate from the trustprofile + // pool matches the actual signer certificate + } + } + + SPSSFactory factory = SPSSFactory.getInstance(); + return factory.createCheckResult(resultCode, null); + } + + /** + * Select the dsig:Signature DOM element within the signature + * environment. + * + * @param signatureEnvironment + * The signature environment containing the + * dsig:Signature. + * @param request + * The VerifyXMLSignatureRequest containing the + * signature environment. + * @return The dsig:Signature element wrapped in a + * XMLSignature object. + * @throws MOAApplicationException + * An error occurred locating the dsig:Signature. + */ + private XMLSignature buildXMLSignature(XMLDataObject signatureEnvironment, VerifyXMLSignatureRequest request) + throws MOAApplicationException { + + VerifySignatureLocation signatureLocation = request.getSignatureInfo().getVerifySignatureLocation(); + Element signatureParent; + + // evaluate the VerifySignatureLocation to get the signature parent + signatureParent = InvokerUtils.evaluateSignatureLocation(signatureEnvironment.getElement(), signatureLocation); + + // check for signatureParent to be a dsig:Signature element + if (!"Signature".equals(signatureParent.getLocalName()) + || !Constants.DSIG_NS_URI.equals(signatureParent.getNamespaceURI())) { + throw new MOAApplicationException("2266", null); + } + + return new XMLSignatureImpl(signatureParent); + } + + /** + * Build the supplemental data objects contained in the + * VerifyXMLSignatureRequest. + * + * @param supplements + * A List of XMLDataObjectAssociations + * containing the supplement data. + * @return A List of DataObjects representing the + * supplemental data objects. + * @throws MOASystemException + * A system error occurred building one of the data objects. + * @throws MOAApplicationException + * An error occurred building one of the data objects. + */ + private List buildDataObjectList(List supplements) throws MOASystemException, MOAApplicationException { + List dataObjectList = new ArrayList(); + + DataObjectFactory factory = DataObjectFactory.getInstance(); + DataObject dataObject; + Iterator iter; + + if (supplements != null) { + for (iter = supplements.iterator(); iter.hasNext();) { + XMLDataObjectAssociation supplement = (XMLDataObjectAssociation) iter.next(); + dataObject = factory.createFromXmlDataObjectAssociation(supplement, true, false); + dataObjectList.add(dataObject); + } + } + + return dataObjectList; + + } + + /** + * Get the supplemental data contained in the + * VerifyXMLSignatureRequest. + * + * @param request + * The VerifyXMLSignatureRequest containing the + * supplemental data. + * @return A List of XMLDataObjectAssociation + * objects containing the supplemental data. + * @throws MOAApplicationException + * An error occurred resolving one of the supplement profiles. + */ + private List getSupplements(VerifyXMLSignatureRequest request) throws MOAApplicationException { + TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + ConfigurationProvider config = context.getConfiguration(); + List supplementProfiles = request.getSupplementProfiles(); + + List supplements = new ArrayList(); + + if (supplementProfiles != null) { + + List mappedProfiles = ProfileMapper.mapSupplementProfiles(supplementProfiles, config); + Iterator iter; + + for (iter = mappedProfiles.iterator(); iter.hasNext();) { + SupplementProfileExplicit profile = (SupplementProfileExplicit) iter.next(); + supplements.add(profile.getSupplementProfile()); + } + + } + return supplements; + } + + /** + * Perform additional validations of the + * XMLSignatureVerificationResult. + * + *

+ * In particular, it is verified that: + *

    + *
  • Each ReferenceData object contains transformation chain + * that matches one of the Transforms given in the + * corresponding SignatureManifestCheckParams/ReferenceInfo + *
    • + *
  • The hash values of the TransformParameters are valid. + *
    • + *
+ *

+ * + * @param request + * The VerifyXMLSignatureRequest containing the + * signature to verify. + * @param result + * The result produced by + * XMLSignatureVerificationModule. + * @param profile + * The profile used for validating the request. + * @return The result of additional validations of the signature manifest. + * @throws MOAApplicationException + * Post-validation of the + * XMLSignatureVerificaitonResult failed. + */ + private ReferencesCheckResult validateSignatureManifest(VerifyXMLSignatureRequest request, + XMLSignatureVerificationResult result, XMLSignatureVerificationProfile profile) + throws MOAApplicationException { + + SPSSFactory factory = SPSSFactory.getInstance(); + MessageProvider msg = MessageProvider.getInstance(); + + // validate that each ReferenceData object contains transforms specified + // in the corresponding SignatureManifestCheckParams/ReferenceInfo + if (request.getSignatureManifestCheckParams() != null) { + List refInfos = request.getSignatureManifestCheckParams().getReferenceInfos(); + List refDatas = filterReferenceInfos(result.getReferenceDataList()); + List failedReferencesList = new ArrayList(); + Iterator refInfoIter; + Iterator refDataIter; + + if (refInfos.size() != refDatas.size()) { + return factory.createReferencesCheckResult(1, null); + } + + refInfoIter = refInfos.iterator(); + refDataIter = filterReferenceInfos(result.getReferenceDataList()).iterator(); + + while (refInfoIter.hasNext()) { + ReferenceInfo refInfo = (ReferenceInfo) refInfoIter.next(); + ReferenceData refData = (ReferenceData) refDataIter.next(); + List transforms = buildTransformsList(refInfo); + boolean found = false; + Iterator trIter; + + for (trIter = transforms.iterator(); trIter.hasNext() && !found;) { + found = trIter.next().equals(refData.getTransformationList()); + } + + if (!found) { + Integer refIndex = new Integer(refData.getReferenceIndex()); + String logMsg = msg.getMessage("invoker.01", new Object[] { refIndex }); + + failedReferencesList.add(refIndex); + Logger.debug(new LogMsg(logMsg)); + } + } + + if (!failedReferencesList.isEmpty()) { + // at least one reference failed - return their indexes and + // check code 1 + int[] failedReferences = CollectionUtils.toIntArray(failedReferencesList); + ReferencesCheckResultInfo checkInfo = factory.createReferencesCheckResultInfo(null, failedReferences); + + return factory.createReferencesCheckResult(1, checkInfo); + } + } + + // validate the hashes contained in all the ReferenceInfo objects of the + // security layer manifest + if (request.getSignatureManifestCheckParams() != null && result.containsSecurityLayerManifest()) { + Map hashValues = buildTransformParameterHashValues(request); + Set transformParameterURIs = buildTransformParameterURIs(profile.getTransformationSupplements()); + List referenceInfoList = result.getSecurityLayerManifest().getReferenceDataList(); + Iterator refIter; + + for (refIter = referenceInfoList.iterator(); refIter.hasNext();) { + iaik.server.modules.xmlverify.ReferenceInfo ref = (iaik.server.modules.xmlverify.ReferenceInfo) refIter + .next(); + byte[] hash = (byte[]) hashValues.get(ref.getURI()); + + if (!transformParameterURIs.contains(ref.getURI()) + || (hash != null && !Arrays.equals(hash, ref.getHashValue()))) { + + // the transform parameter doesn't exist or the hashs do not + // match + // return the index of the failed reference and check code 1 + int[] failedReferences = new int[] { ref.getReferenceIndex() }; + ReferencesCheckResultInfo checkInfo = factory.createReferencesCheckResultInfo(null, + failedReferences); + String logMsg = msg.getMessage("invoker.02", new Object[] { new Integer(ref.getReferenceIndex()) }); + + Logger.debug(new LogMsg(logMsg)); + + return factory.createReferencesCheckResult(1, checkInfo); + } + } + } + + return factory.createReferencesCheckResult(0, null); + } + + /** + * Get all Transforms contained in all the + * VerifyTransformsInfoProfiles of the given + * ReferenceInfo. + * + * @param refInfo + * The ReferenceInfo object containing the + * transformations. + * @return A List of Lists. Each of the + * Lists contains Transformation objects. + * @throws MOAApplicationException + * An error occurred building one of the + * Transformations. + */ + private List buildTransformsList(ReferenceInfo refInfo) throws MOAApplicationException { + + TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + ConfigurationProvider config = context.getConfiguration(); + List profiles = refInfo.getVerifyTransformsInfoProfiles(); + List mappedProfiles = ProfileMapper.mapVerifyTransformsInfoProfiles(profiles, config); + List transformsList = new ArrayList(); + TransformationFactory factory = TransformationFactory.getInstance(); + Iterator iter; + + for (iter = mappedProfiles.iterator(); iter.hasNext();) { + VerifyTransformsInfoProfileExplicit profile = (VerifyTransformsInfoProfileExplicit) iter.next(); + List transforms = profile.getTransforms(); + + if (transforms != null) { + transformsList.add(factory.createTransformationList(transforms)); + } + } + + return transformsList; + } + + /** + * Build the Set of all TransformParameter URIs. + * + * @param transformParameters + * The List of TransformParameters, as + * provided to the verification. + * @return The Set of all TransformParameter URIs. + */ + private Set buildTransformParameterURIs(List transformParameters) { + Set uris = new HashSet(); + Iterator iter; + + for (iter = transformParameters.iterator(); iter.hasNext();) { + DataObject transformParameter = (DataObject) iter.next(); + uris.add(transformParameter.getURI()); + } + + return uris; + } + + /** + * Build a mapping between TransformParameter URIs (a + * String and dsig:HashValue (a + * byte[]). + * + * @param request + * The VerifyXMLSignatureRequest. + * @return Map The resulting mapping. + * @throws MOAApplicationException + * An error occurred accessing one of the profiles. + */ + private Map buildTransformParameterHashValues(VerifyXMLSignatureRequest request) throws MOAApplicationException { + + TransactionContext context = TransactionContextManager.getInstance().getTransactionContext(); + ConfigurationProvider config = context.getConfiguration(); + Map hashValues = new HashMap(); + List refInfos = request.getSignatureManifestCheckParams().getReferenceInfos(); + Iterator refIter; + + for (refIter = refInfos.iterator(); refIter.hasNext();) { + ReferenceInfo refInfo = (ReferenceInfo) refIter.next(); + List profiles = refInfo.getVerifyTransformsInfoProfiles(); + List mappedProfiles = ProfileMapper.mapVerifyTransformsInfoProfiles(profiles, config); + Iterator prIter; + + for (prIter = mappedProfiles.iterator(); prIter.hasNext();) { + VerifyTransformsInfoProfileExplicit profile = (VerifyTransformsInfoProfileExplicit) prIter.next(); + List trParameters = profile.getTransformParameters(); + Iterator trIter; + + for (trIter = trParameters.iterator(); trIter.hasNext();) { + TransformParameter transformParameter = (TransformParameter) trIter.next(); + String uri = transformParameter.getURI(); + + if (transformParameter.getTransformParameterType() == TransformParameter.HASH_TRANSFORMPARAMETER) { + hashValues.put(uri, ((TransformParameterHash) transformParameter).getDigestValue()); + } + + } + } + } + return hashValues; + } + + /** + * Filter the ReferenceInfos returned by the + * VerifyXMLSignatureResult for comparison with the + * ReferenceInfo elements in the request. + * + * @param referenceInfos + * The ReferenceInfos from the + * VerifyXMLSignatureResult. + * @return A List of all ReferenceInfos whose type + * is not a XMLDsig manifest, Security Layer manifest, or ETSI + * signed property. + */ + private List filterReferenceInfos(List referenceInfos) { + List filtered = new ArrayList(); + Iterator iter; + + for (iter = referenceInfos.iterator(); iter.hasNext();) { + iaik.server.modules.xmlverify.ReferenceInfo refInfo = (iaik.server.modules.xmlverify.ReferenceInfo) iter + .next(); + String refType = refInfo.getReferenceType(); + + if (refType == null || !FILTERED_REF_TYPES.contains(refType)) { + filtered.add(refInfo); + } + } + + return filtered; + } + + private List getAdESResult(AdESFormVerificationResult adesFormVerification) { + if (adesFormVerification == null) { + // no form information + return null; + } + + List adesList = new ArrayList(); + + checkSubResult(adesFormVerification.getSubResult(SignatureVerificationProfile.LEVEL_LTA), + SignatureVerificationProfile.LEVEL_LTA, adesList); + checkSubResult(adesFormVerification.getSubResult(SignatureVerificationProfile.LEVEL_LT), + SignatureVerificationProfile.LEVEL_LT, adesList); + checkSubResult(adesFormVerification.getSubResult(SignatureVerificationProfile.LEVEL_T), + SignatureVerificationProfile.LEVEL_T, adesList); + checkSubResult(adesFormVerification.getSubResult(SignatureVerificationProfile.LEVEL_B), + SignatureVerificationProfile.LEVEL_B, adesList); + + return adesList; + } + + private void checkSubResult(AdESVerificationResult subResult, String level, List adesList) { + if (subResult != null) { + Logger.info("Checking Level: " + level); + try { + AdESFormResultsImpl adESFormResultsImpl = new AdESFormResultsImpl(); + adESFormResultsImpl.setCode(subResult.getResultCode()); + adESFormResultsImpl.setInfo(subResult.getInfo()); + adESFormResultsImpl.setName(subResult.getName()); + + adesList.add(adESFormResultsImpl); + } catch (NullPointerException e) { + Logger.warn("Catching NullPointer Exception, of invalid? Form Results", e); + } + } + } } -- cgit v1.2.3