/*
* Copyright 2003 Federal Chancellery Austria
* MOA-SPSS has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
*
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
* the European Commission - subsequent versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
* http://www.osor.eu/eupl/
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the Licence is distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and
* limitations under the Licence.
*
* This product combines work with different licenses. See the "NOTICE" text
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
*/
package at.gv.egovernment.moa.spss.server.iaik.xmlsign;
import iaik.server.modules.algorithms.SignatureAlgorithms;
import iaik.server.modules.keys.AlgorithmUnavailableException;
import iaik.server.modules.keys.KeyEntryID;
import iaik.server.modules.keys.KeyModule;
import iaik.server.modules.keys.KeyModuleFactory;
import iaik.server.modules.keys.UnknownKeyException;
import iaik.server.modules.xml.Canonicalization;
import iaik.server.modules.xmlsign.XMLSignatureCreationProfile;
import iaik.server.modules.xmlsign.XMLSignatureInsertionLocation;
import java.util.List;
import java.util.Set;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.spss.server.logging.TransactionId;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContext;
import at.gv.egovernment.moa.spss.server.transaction.TransactionContextManager;
import at.gv.egovernment.moa.spss.server.util.IdGenerator;
/**
* An object providing auxiliary information for creating an XML signature.
*
* @author Patrick Peck
* @version $Id$
*/
public class XMLSignatureCreationProfileImpl
implements XMLSignatureCreationProfile {
/** The transformations to apply to a data object. */
private List dataObjectTreatmentList;
/** The set of keys available to the signing process. */
private Set keySet;
/** The type URI of the signature manifest. */
private String securityLayerManifestTypeURI;
/** Whether the created signature is to be Security Layer conform. */
private boolean securityLayerConform;
/** Where to insert the signature into the signature environment. */
private XMLSignatureInsertionLocation signatureInsertionLocation;
/** The signature structur type. */
private String signatureStructureType;
/** The type of Canonicalization
to use for the signed info. */
private Canonicalization signedInfoCanonicalization;
/** Properties to be signed during signature creation. */
private List signedProperties;
/** The ID generator for signature IDs. */
private IdGenerator signatureIDGenerator;
/** The ID generator for manifst IDs. */
private IdGenerator manifestIDGenerator;
/** The ID generator for XMLDsig manifest IDs. */
private IdGenerator dsigManifestIDGenerator;
/** The ID generator for signed property IDs. */
private IdGenerator propertyIDGenerator;
/** The selected digest method algorithm if XAdES 1.4.2 is used */
private String digestMethodXAdES142;
/**
* Create a new XMLSignatureCreationProfileImpl
.
*
* @param createProfileCount Provides external information about the
* number of calls to the signature creation module, using the same request.
* @param reservedIDs The set of IDs that must not be used while generating
* new IDs.
*/
public XMLSignatureCreationProfileImpl(
int createProfileCount,
Set reservedIDs,
String digestMethodXAdES142) {
signatureIDGenerator =
new IdGenerator("signature-" + createProfileCount, reservedIDs);
manifestIDGenerator =
new IdGenerator("manifest-" + createProfileCount, reservedIDs);
dsigManifestIDGenerator =
new IdGenerator("dsig-manifest-" + createProfileCount, reservedIDs);
propertyIDGenerator =
new IdGenerator("etsi-signed-" + createProfileCount, reservedIDs);
this.digestMethodXAdES142 = digestMethodXAdES142;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getDataObjectTreatmentList()
*/
public List getDataObjectTreatmentList() {
return dataObjectTreatmentList;
}
/**
* Sets the list of DataObjectTreatment
s.
*
* @param dataObjectTreatmentList The DataObjectTreatment
s to
* set.
*/
public void setDataObjectTreatmentList(List dataObjectTreatmentList) {
this.dataObjectTreatmentList = dataObjectTreatmentList;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getKeySet()
*/
public Set getKeySet() {
return keySet;
}
/**
* Set the set of KeyEntryID
s which may be used for signature
* creation.
*
* @param keySet The set of KeyEntryID
s to set.
*/
public void setKeySet(Set keySet) {
this.keySet = keySet;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSecurityLayerManifestTypeURI()
*/
public String getSecurityLayerManifestTypeURI() {
return securityLayerManifestTypeURI;
}
/**
* Set the SecurityLayerManifestTypeURI.
*
* @param securityLayerManifestTypeURI The SecurityLayerManifestTypeURI to
* set.
*/
public void setSecurityLayerManifestTypeURI(String securityLayerManifestTypeURI) {
this.securityLayerManifestTypeURI = securityLayerManifestTypeURI;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureAlgorithmName(KeyEntryID)
*/
public String getSignatureAlgorithmName(KeyEntryID selectedKeyID)
throws AlgorithmUnavailableException {
TransactionContext context =
TransactionContextManager.getInstance().getTransactionContext();
TransactionId tid = new TransactionId(context.getTransactionID());
KeyModule module = KeyModuleFactory.getInstance(tid);
Set algorithms;
try {
algorithms = module.getSupportedSignatureAlgorithms(selectedKeyID);
} catch (UnknownKeyException e) {
throw new AlgorithmUnavailableException(
"Unknown key entry: " + selectedKeyID,
e,
null);
}
if (digestMethodXAdES142 == null) {
// XAdES 1.4.2 not enabled - legacy MOA
if (algorithms.contains(SignatureAlgorithms.MD2_WITH_RSA)
|| algorithms.contains(SignatureAlgorithms.MD5_WITH_RSA)
|| algorithms.contains(SignatureAlgorithms.RIPEMD128_WITH_RSA)
|| algorithms.contains(SignatureAlgorithms.RIPEMD160_WITH_RSA)
|| algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)
|| algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
return SignatureAlgorithms.SHA1_WITH_RSA;
} else if (
algorithms.contains(SignatureAlgorithms.ECDSA)) {
return SignatureAlgorithms.ECDSA;
} else if (
algorithms.contains(SignatureAlgorithms.DSA)) {
return SignatureAlgorithms.DSA;
} else {
throw new AlgorithmUnavailableException(
"No algorithm for key entry: " + selectedKeyID,
null,
null);
}
}
else {
// XAdES 1.4.2 is enabled: select signature algorithm according to selected digest method
if (digestMethodXAdES142.compareTo("SHA-1") == 0) {
Logger.warn("XAdES version 1.4.2 is enabled, but SHA-1 is configured as digest algorithm. Please revise a use of a more secure digest algorithm out of the SHA-2 family (e.g. SHA-256, SHA-384, SHA-512)");
if (algorithms.contains(SignatureAlgorithms.SHA1_WITH_RSA)) {
return SignatureAlgorithms.SHA1_WITH_RSA;
} else if (algorithms.contains(SignatureAlgorithms.ECDSA)) {
return SignatureAlgorithms.ECDSA;
} else if (algorithms.contains(SignatureAlgorithms.DSA)) {
return SignatureAlgorithms.DSA;
} else {
throw new AlgorithmUnavailableException(
"No algorithm for key entry: " + selectedKeyID,
null,
null);
}
} else if (digestMethodXAdES142.compareTo("SHA-256") == 0) {
if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_RSA)) {
return SignatureAlgorithms.SHA256_WITH_RSA;
} else if (algorithms.contains(SignatureAlgorithms.SHA256_WITH_ECDSA)) {
return SignatureAlgorithms.SHA256_WITH_ECDSA;
} else if (algorithms.contains(SignatureAlgorithms.DSA)) {
return SignatureAlgorithms.DSA;
} else {
throw new AlgorithmUnavailableException(
"No algorithm for key entry: " + selectedKeyID,
null,
null);
}
} else if (digestMethodXAdES142.compareTo("SHA-384") == 0) {
if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_RSA)) {
return SignatureAlgorithms.SHA384_WITH_RSA;
} else if (algorithms.contains(SignatureAlgorithms.SHA384_WITH_ECDSA)) {
return SignatureAlgorithms.SHA384_WITH_ECDSA;
} else if (algorithms.contains(SignatureAlgorithms.DSA)) {
return SignatureAlgorithms.DSA;
} else {
throw new AlgorithmUnavailableException(
"No algorithm for key entry: " + selectedKeyID,
null,
null);
}
} else if (digestMethodXAdES142.compareTo("SHA-512") == 0) {
if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_RSA)) {
return SignatureAlgorithms.SHA512_WITH_RSA;
} else if (algorithms.contains(SignatureAlgorithms.SHA512_WITH_ECDSA)) {
return SignatureAlgorithms.SHA512_WITH_ECDSA;
} else if (algorithms.contains(SignatureAlgorithms.DSA)) {
return SignatureAlgorithms.DSA;
} else {
throw new AlgorithmUnavailableException(
"No algorithm for key entry: " + selectedKeyID,
null,
null);
}
}
else {
throw new AlgorithmUnavailableException(
"No signature algorithm found for digest algorithm '" + digestMethodXAdES142,
null,
null);
}
}
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureInsertionLocation()
*/
public XMLSignatureInsertionLocation getSignatureInsertionLocation() {
return signatureInsertionLocation;
}
/**
* Set the location where the signature is to be inserted into the signature
* parent.
*
* @param signatureInsertionLocation The location to set.
*/
public void setSignatureInsertionLocation(XMLSignatureInsertionLocation signatureInsertionLocation) {
this.signatureInsertionLocation = signatureInsertionLocation;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureStructureType()
*/
public String getSignatureStructureType() {
return signatureStructureType;
}
/**
* Set the signature structure type.
* @param signatureStructureType The signature structure type to set.
*/
public void setSignatureStructureType(String signatureStructureType) {
this.signatureStructureType = signatureStructureType;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedInfoCanonicalization()
*/
public Canonicalization getSignedInfoCanonicalization() {
return signedInfoCanonicalization;
}
/**
* Sets the canonicalization method to use for the SignedInfo object.
*
* @param signedInfoCanonicalization The canonicalization method to set.
*/
public void setSignedInfoCanonicalization(Canonicalization signedInfoCanonicalization) {
this.signedInfoCanonicalization = signedInfoCanonicalization;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedProperties()
*/
public List getSignedProperties() {
return signedProperties;
}
/**
* Set the signed properties.
*
* @param signedProperties The signed properties to set.
*/
public void setSignedProperties(List signedProperties) {
this.signedProperties = signedProperties;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#isSecurityLayerConform()
*/
public boolean isSecurityLayerConform() {
return securityLayerConform;
}
/**
* Sets the security layer conformity.
*
* @param securityLayerConform true
, if the created signature
* is to be conform to the Security Layer specification.
*/
public void setSecurityLayerConform(boolean securityLayerConform) {
this.securityLayerConform = securityLayerConform;
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignatureID()
*/
public String getSignatureID() {
return signatureIDGenerator.uniqueId();
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSecurityLayerManifestID()
*/
public String getSecurityLayerManifestID() {
return manifestIDGenerator.uniqueId();
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getDsigManifestID()
*/
public String getDsigManifestID() {
return dsigManifestIDGenerator.uniqueId();
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getSignedPropertiesID()
*/
public String getSignedPropertiesID() {
return propertyIDGenerator.uniqueId();
}
/**
* @see iaik.server.modules.xmlsign.XMLSignatureCreationProfile#getPermitFileURIs()
*/
public boolean getPermitFileURIs() {
return false;
}
}