From f10add103c0a094e908c5399d9575e7c2f1393d2 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 3 Feb 2017 10:51:53 +0100 Subject: fix problem in SystemInitializer order that prevent the use of the TSL certstore switch to version RC4 --- moaSig/build.gradle | 2 +- .../moa/spss/server/init/SystemInitializer.java | 33 ++++++++++++---------- 2 files changed, 19 insertions(+), 16 deletions(-) (limited to 'moaSig') diff --git a/moaSig/build.gradle b/moaSig/build.gradle index 808a960..4fe3b49 100644 --- a/moaSig/build.gradle +++ b/moaSig/build.gradle @@ -21,7 +21,7 @@ subprojects { testCompile 'junit:junit:4.8.2' } - version = '3.1.0-RC3' + version = '3.1.0-RC4' jar { manifest.attributes provider: 'EGIZ', 'Specification-Version': getCheckedOutGitCommitHash(), 'Implementation-Version': project.version } } diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java index 295e861..0e592f0 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/init/SystemInitializer.java @@ -143,27 +143,30 @@ public class SystemInitializer { // initialize configuration try { - ConfigurationProvider config = ConfigurationProvider.getInstance(); - Logger.info("Building ConfigurationData"); - ConfigurationData configData = new IaikConfigurator().configure(config); + Logger.info("Initialize MOA-SP/SS configuration ... "); + ConfigurationProvider config = ConfigurationProvider.getInstance(); - //initialize TSL module - TSLConfiguration moaSPTslConfig = config.getTSLConfiguration(); - if (moaSPTslConfig != null) { - TslConfigurationImpl tslConfig = new TslConfigurationImpl(); - tslConfig.setEuTslURL(moaSPTslConfig.getEuTSLUrl()); - tslConfig.setTslWorkingDirectory(moaSPTslConfig.getWorkingDirectory()); - tslConfig.setNetworkReadTimeout(config.getReadTimeout() / 1000); + //initialize TSL module + TSLConfiguration moaSPTslConfig = config.getTSLConfiguration(); + if (moaSPTslConfig != null) { + Logger.debug("Starting TSL-Service initialization ... "); + TslConfigurationImpl tslConfig = new TslConfigurationImpl(); + tslConfig.setEuTslURL(moaSPTslConfig.getEuTSLUrl()); + tslConfig.setTslWorkingDirectory(moaSPTslConfig.getWorkingDirectory()); + tslConfig.setNetworkReadTimeout(config.getReadTimeout() / 1000); - Logger.info(new LogMsg(msg.getMessage("config.41", null))); - TSLServiceFactory.initialize(tslConfig); - Logger.info("TSL-Service client initialization finished"); + Logger.info(new LogMsg(msg.getMessage("config.41", null))); + TSLServiceFactory.initialize(tslConfig); + Logger.info("TSL-Service client initialization finished"); - //initialize TSL Update Task - initTSLUpdateTask(moaSPTslConfig); + //initialize TSL Update Task + initTSLUpdateTask(moaSPTslConfig); } + Logger.info("Building IAIK-MOA configuration ... "); + new IaikConfigurator().configure(config); + runInitializer(config); Logger.info(new LogMsg(msg.getMessage("init.01", null))); -- cgit v1.2.3 From 9f691daa2c2b829b6dec0c132a348e0db6ba9488 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 9 Feb 2017 17:02:37 +0100 Subject: update PDFVerification interface to return signature results that FAILS --- .../resources/resources/schemas/MOA-SPSS-3.0.0.xsd | 2 +- .../xmlbind/VerifyPDFSignatureResponseBuilder.java | 39 +++++++++++++--------- .../invoke/CMSSignatureVerificationInvoker.java | 32 +++++++++--------- .../invoke/VerifyCMSSignatureResponseBuilder.java | 37 +++++++++++--------- 4 files changed, 62 insertions(+), 48 deletions(-) (limited to 'moaSig') diff --git a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd index 4916b89..d4ed4a2 100644 --- a/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd +++ b/moaSig/common/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd @@ -300,7 +300,7 @@ - + only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyPDFSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyPDFSignatureResponseBuilder.java index 98b54a3..0ca6f8f 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyPDFSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/api/xmlbind/VerifyPDFSignatureResponseBuilder.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponseElemen import at.gv.egovernment.moa.spss.api.common.CheckResult; import at.gv.egovernment.moa.spss.api.common.SignerInfo; import at.gv.egovernment.moa.spss.api.xmlverify.AdESFormResults; +import at.gv.egovernment.moaspss.logging.Logger; /** * Convert a VerifyCMSSignatureResponse API object into its @@ -104,22 +105,28 @@ public class VerifyPDFSignatureResponseBuilder { CheckResult signatureCheck = responseElement.getSignatureCheck(); CheckResult certCheck = responseElement.getCertificateCheck(); - ResponseBuilderUtils.addSignerInfo( - responseDoc, - responseElem, - signerInfo.getSignerCertificate(), - signerInfo.isQualifiedCertificate(), - signerInfo.getQCSource(), - signerInfo.isPublicAuthority(), - signerInfo.getPublicAuhtorityID(), - signerInfo.isSSCD(), - signerInfo.getSSCDSource(), - signerInfo.getIssuerCountryCode(), - signerInfo.getTslInfos()); - - ResponseBuilderUtils.addSigningTime(responseDoc, - responseElem, - signerInfo.getSigningTime()); + if (signerInfo != null) { + ResponseBuilderUtils.addSignerInfo( + responseDoc, + responseElem, + signerInfo.getSignerCertificate(), + signerInfo.isQualifiedCertificate(), + signerInfo.getQCSource(), + signerInfo.isPublicAuthority(), + signerInfo.getPublicAuhtorityID(), + signerInfo.isSSCD(), + signerInfo.getSSCDSource(), + signerInfo.getIssuerCountryCode(), + signerInfo.getTslInfos()); + + ResponseBuilderUtils.addSigningTime(responseDoc, + responseElem, + signerInfo.getSigningTime()); + + } else { + Logger.info("Find signature result with no 'SignerInfo'. Maybe a signature verification Failed"); + + } ResponseBuilderUtils.addCodeInfoElement( responseDoc, diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java index 1508b42..c0beced 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/CMSSignatureVerificationInvoker.java @@ -361,25 +361,27 @@ public class CMSSignatureVerificationInvoker { String issuerCountryCode = null; // QC/SSCD check + + if (cmsResult.getCertificateValidationResult() != null) { + List list = cmsResult.getCertificateValidationResult().getCertificateChain(); + if (list != null) { + X509Certificate[] chain = new X509Certificate[list.size()]; + + Iterator it = list.iterator(); + int i = 0; + while (it.hasNext()) { + chain[i] = (X509Certificate) it.next(); + i++; + } - List list = cmsResult.getCertificateValidationResult().getCertificateChain(); - if (list != null) { - X509Certificate[] chain = new X509Certificate[list.size()]; - - Iterator it = list.iterator(); - int i = 0; - while (it.hasNext()) { - chain[i] = (X509Certificate) it.next(); - i++; - } - - qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); + qcsscdresult = CertificateUtils.checkQCSSCD(chain, cmsResult.getSigningTime(), trustProfile.isTSLEnabled(), ConfigurationProvider.getInstance()); - // get signer certificate issuer country code - issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); + // get signer certificate issuer country code + issuerCountryCode = CertificateUtils.getIssuerCountry((X509Certificate) list.get(0)); + } } - + responseBuilder.addResult(cmsResult, trustProfile, qcsscdresult.isQC(), qcsscdresult.isQCSourceTSL(), qcsscdresult.isSSCD(), qcsscdresult.isSSCDSourceTSL(), issuerCountryCode, adesResults, extCheckResult, qcsscdresult.getTslInfos()); diff --git a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java index 5ada287..f4121b0 100644 --- a/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java +++ b/moaSig/moa-sig-lib/src/main/java/at/gv/egovernment/moa/spss/server/invoke/VerifyCMSSignatureResponseBuilder.java @@ -151,28 +151,33 @@ public class VerifyCMSSignatureResponseBuilder { result.getCertificateValidationResult(); int signatureCheckCode = result.getSignatureValueVerificationCode().intValue(); - int certificateCheckCode = certResult.getValidationResultCode().intValue(); - + VerifyCMSSignatureResponseElement responseElement; - SignerInfo signerInfo; + SignerInfo signerInfo = null; CheckResult signatureCheck; CheckResult certificateCheck; boolean qualifiedCertificate = checkQC; - // add SignerInfo element - signerInfo = - factory.createSignerInfo( - (X509Certificate) certResult.getCertificateChain().get(0), - qualifiedCertificate, - qcSourceTSL, - certResult.isPublicAuthorityCertificate(), - certResult.getPublicAuthorityID(), - checkSSCD, - sscdSourceTSL, - issuerCountryCode, - result.getSigningTime(), - tslInfos); + //set code 99 if not certcheckresult exists + int certificateCheckCode = 99; + if (certResult != null) { + certificateCheckCode = certResult.getValidationResultCode().intValue(); + + // add SignerInfo element + signerInfo = + factory.createSignerInfo( + (X509Certificate) certResult.getCertificateChain().get(0), + qualifiedCertificate, + qcSourceTSL, + certResult.isPublicAuthorityCertificate(), + certResult.getPublicAuthorityID(), + checkSSCD, + sscdSourceTSL, + issuerCountryCode, + result.getSigningTime(), + tslInfos); + } // add SignatureCheck element signatureCheck = factory.createCheckResult(signatureCheckCode, null); -- cgit v1.2.3 From 6a500009a5a8a630d3910b2f71a33c5fbbf37eda Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 10 Feb 2017 07:11:19 +0100 Subject: update xml scheme at additional locations --- .../resources/schemas/MOA-SPSS-2.0.0.wsdl | 132 ++-- .../resources/resources/schemas/MOA-SPSS-3.0.0.xsd | 2 +- .../src/main/webapp/schemas/MOA-SPSS-3.0.0.xsd | 813 +++++++++++++++++++++ 3 files changed, 870 insertions(+), 77 deletions(-) create mode 100644 moaSig/moa-sig/src/main/webapp/schemas/MOA-SPSS-3.0.0.xsd (limited to 'moaSig') diff --git a/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-2.0.0.wsdl b/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-2.0.0.wsdl index 2bcadc6..f822a52 100644 --- a/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-2.0.0.wsdl +++ b/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-2.0.0.wsdl @@ -1,65 +1,56 @@ - - + + - + - + - - + - + - + - + - + - + - + - + - + - + - + - - - + + + - - - + + + - + - + - + @@ -126,59 +112,50 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -197,4 +174,7 @@ URL. --> + diff --git a/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd b/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd index 4916b89..d4ed4a2 100644 --- a/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd +++ b/moaSig/moa-sig/src/main/resources/resources/schemas/MOA-SPSS-3.0.0.xsd @@ -300,7 +300,7 @@ - + only ds:X509Data and RetrievalMethod is supported; QualifiedCertificate is included as diff --git a/moaSig/moa-sig/src/main/webapp/schemas/MOA-SPSS-3.0.0.xsd b/moaSig/moa-sig/src/main/webapp/schemas/MOA-SPSS-3.0.0.xsd new file mode 100644 index 0000000..d4ed4a2 --- /dev/null +++ b/moaSig/moa-sig/src/main/webapp/schemas/MOA-SPSS-3.0.0.xsd @@ -0,0 +1,813 @@ + + + + + + + + + + + + + + + + + + + + Ermöglichung der Stapelsignatur durch + wiederholte Angabe dieses Elements + + + + + + + + + + + + + + + + + + + + + + Kardinalität 1..oo erlaubt die Antwort auf eine + Stapelsignatur-Anfrage + + + + Resultat, falls die Signaturerstellung + erfolgreich war + + + + + + + + + + + + + + + + + + + + Ermöglichung der Stapelsignatur durch + wiederholte Angabe dieses Elements + + + + + + + + + + + + + + + + + + + Auswahl: Entweder explizite Angabe des + Signaturorts sowie ggf. sinnvoller Supplements im Zshg. mit + der Signaturumgebung, oder Verweis auf ein benanntes Profil + + + + + + + + + + + + + + + + + + + Kardinalität 1..oo erlaubt die Antwort auf eine + Stapelsignatur-Anfrage + + + + Resultat, falls die Signaturerstellung + erfolgreich war + + + + + + + + + + + + + + + + + + + + + + + + + + Ermöglichung der Stapelsignatur durch + wiederholte Angabe dieses Elements + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + mit diesem Profil wird eine Menge von + vertrauenswürdigen Wurzelzertifikaten spezifiziert + + + + + + + + + + + + only ds:X509Data and RetrievalMethod is + supported; QualifiedCertificate is included as + X509Data/any;publicAuthority is included as X509Data/any; + SecureSignatureCreationDevice is included as X509Data/any, + IssuingCountry is included as X509Data/any + + + + + + + + + + + + + only ds:X509Data and RetrievalMethod is + supported; QualifiedCertificate is included as + X509Data/any;publicAuthority is included as X509Data/any; + SecureSignatureCreationDevice is included as X509Data/any, + IssuingCountry is included as X509Data/any, + TSLInformation is included as X509Data/any + + + + + + + + + + + + + + + + + + + + + + + + + + + + mit diesem Profil wird eine Menge von + vertrauenswürdigen Wurzelzertifikaten spezifiziert + + + + + + + + + + + + + + + + + + + + + + asics or asice + + + + + mit diesem Profil wird eine Menge von + vertrauenswürdigen Wurzelzertifikaten spezifiziert + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + only ds:X509Data and RetrievalMethod is + supported; QualifiedCertificate is included as + X509Data/any;publicAuthority is included as X509Data/any; + SecureSignatureCreationDevice is included as X509Data/any, + IssuingCountry is included as X509Data/any + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Pro dsig:Reference-Element in der zu + überprüfenden XML-Signatur muss hier ein + ReferenceInfo-Element erscheinen. Die Reihenfolge der einzelnen + ReferenceInfo Elemente entspricht jener der dsig:Reference + Elemente in der XML-Signatur. + + + + + + + + + + mit diesem Profil wird eine Menge von + vertrauenswürdigen Wurzelzertifikaten spezifiziert + + + + + + + + + + + + only ds:X509Data and ds:RetrievalMethod is + supported; QualifiedCertificate is included as X509Data/any; + PublicAuthority is included as X509Data/any; + SecureSignatureCreationDevice is included as X509Data/any, + IssuingCountry is included as X509Data/any + + + + + + + + + + + + + + + + + only ds:X509Data and ds:RetrievalMethod is + supported; QualifiedCertificate is included as X509Data/any; + PublicAuthority is included as X509Data/any; + SecureSignatureCreationDevice is included as X509Data/any, + IssuingCountry is included as X509Data/any + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Auswahl: Entweder explizite Angabe EINER + Transformationskette inklusive ggf. sinnvoller Supplements oder + Verweis auf ein benanntes Profil + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Resultat, falls die Signaturerstellung + erfolgreich war + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Resultat, falls die Signaturerstellung gescheitert + ist + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ein oder mehrere Transformationswege können von + der Applikation an MOA mitgeteilt werden. Die zu prüfende Signatur + hat zumindest einem dieser Transformationswege zu entsprechen. Die + Angabe kann explizit oder als Profilbezeichner erfolgen. + + + + + + Profilbezeichner für einen Transformationsweg + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Die Angabe des Transformationsparameters + (explizit oder als Hashwert) kann unterlassen werden, wenn die + Applikation von der Unveränderlichkeit des Inhalts der in + "Transformationsparamter", Attribut "URI" angegebenen URI ausgehen + kann. + + + + Der Transformationsparameter explizit angegeben. + + + + + + Der Hashwert des Transformationsparameters. + + + + + + + + + + + + + + + + + + + + + + + Explizite Angabe des Transformationswegs + + + + + + + + Alle impliziten Transformationsparameter, die + zum Durchlaufen der oben angeführten Transformationskette + bekannt sein müssen, müssen hier angeführt werden. Das + Attribut "URI" bezeichnet den Transformationsparameter in exakt + jener Weise, wie er in der zu überprüfenden Signatur gebraucht + wird. + + + + + + + + + + + + + + + + -- cgit v1.2.3 From fd922888dbe58582fb4a045ad93da1cf2664a744 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 10 Feb 2017 07:11:44 +0100 Subject: switch to next RC5 version --- moaSig/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'moaSig') diff --git a/moaSig/build.gradle b/moaSig/build.gradle index 4fe3b49..247bf08 100644 --- a/moaSig/build.gradle +++ b/moaSig/build.gradle @@ -21,7 +21,7 @@ subprojects { testCompile 'junit:junit:4.8.2' } - version = '3.1.0-RC4' + version = '3.1.0-RC5' jar { manifest.attributes provider: 'EGIZ', 'Specification-Version': getCheckedOutGitCommitHash(), 'Implementation-Version': project.version } } -- cgit v1.2.3